Pentest tools are actually supposed to be used by Red Teams to test attack surfaces, uncover security gaps and then close them. But these powerful testing tools can also be misused by cyber criminals. Unfortunately, they are often quickly overlooked by security.
Unit 42, Palo Alto Networks' malware analysis team, is constantly on the lookout for new malware samples that match known Advanced Persistent Threat (APT) patterns and tactics. One such sample was recently uploaded to VirusTotal, where it received a positive verdict from all 56 vendors that examined it. In other words: None of the security providers recognized the potential danger of the dangerous code that was hidden in a tool!
56 scanners on VirusTotal detect no threat
The sample contained malicious code related to Brute Ratel C4 (BRc4), the latest Red teaming and adversary attack simulation tool to hit the market. Although the malicious code in this tool has managed to stay out of the limelight and is less well known than its Cobalt Strike brethren, the malicious code is no less sophisticated. The tool is uniquely dangerous in that it is specifically designed to avoid detection by Endpoint Detection and Response (EDR) and Antivirus (AV) features. Its effectiveness is clearly shown in the above mentioned lack of detection on VirusTotal across all providers,
Very clever and dangerous tool
Regarding C2, Unit 42 found that the sample called an Amazon Web Services (AWS) IP address in the United States over port 443. Also, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of "Microsoft" and organizational unit of "Security". In addition, using the certificate and other artifacts, Palo Alto Networks identified a total of 41 malicious IP addresses, nine BRc4 samples, and another three organizations in North and South America that have so far been affected by the malicious code in this tool.
This - so far unique - pattern was packaged in accordance with well-known APT29 techniques and their recent campaigns, which leveraged well-known cloud storage and online collaboration applications. Specifically, this pattern was packaged as a standalone ISO. The ISO contained a Windows shortcut (LNK) file, a malicious payload DLL, and a legitimate copy of Microsoft OneDrive Updater. Attempts to run the benign application from the ISO-mounted folder resulted in loading of the malicious code as a dependency through a technique known as DLL search order hijacking. Although packaging techniques alone are not sufficient to definitively attribute this example to APT29, these techniques show that users of the tool are now deploying BRc4.
Security teams should pay attention to the tools
Overall, Unit 42 believes this study is significant in that it not only identifies a new Red Team skill that is largely unrecognized by most cybersecurity vendors, but more importantly, a skill with a growing user base , which Palo Alto Networks believes could be exploited by government-backed hackers. The current analysis provides an overview of BRc4, a detailed analysis of the malicious sample, a comparison between these samples and a recent APT29 sample, and a list of Indicators of Compromise (IoCs) that can be used to scan for this malicious activity .
Palo Alto Networks calls on all security vendors to put in place safeguards to detect activity from this pentest tool and all organizations to be alert to activity from this tool.
Conclusion of the study
- The emergence of a new penetration testing and attacker emulation feature is significant. Even more alarming is BRc4's effectiveness in overcoming modern defensive EDR and AV detection capabilities.
- In the last 2,5 years this tool has grown from a part-time hobby to a full-time development project with a growing customer base. As this customer base has grown to hundreds, the tool has garnered increasing attention across the cybersecurity space from both legitimate penetration testers and criminal cyber actors.
- Analysis of the two examples described by Unit 42, as well as the advanced approach used to package the malicious code, make it clear that criminal cyber actors have started exploiting this ability. Unit 42 of Palo Alto Networks believes it is imperative that all security vendors build protections to detect BRc4 and that all organizations take proactive measures to defend against this tool.
- Palo Alto Networks has shared these findings, including file samples and indicators of compromise (IoC), with our other Cyber Threat Alliance members. CTA members use this information to quickly deploy protections to their customers and systematically disrupt criminal cyber attackers.
About Palo Alto Networks Palo Alto Networks, the global leader in cybersecurity solutions, is shaping the cloud-based future with technologies that transform the way people and businesses work. Our mission is to be the preferred cybersecurity partner and protect our digital way of life. We help you address the world's biggest security challenges with continuous innovation leveraging the latest breakthroughs in artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform and empowering a growing ecosystem of partners, we are the leaders in protecting tens of thousands of businesses across clouds, networks and mobile devices. Our vision is a world where every day is safer than the one before.