Threat Groups Observed Substituting Cobalt Strike for Stealthier Post-Exploitation Framework

Cyber threat actors are frequently observed deploying a legitimate penetration testing and post-exploitation framework known as Cobalt Strike on victims’ systems. Cobalt Strike is used by pen testers and cybersecurity red teams in simulated attacks on a company to probe for and exploit vulnerabilities. Cobalt Strike is used to deploy beacons on compromised parts of the network, which can be used for surveillance and running commands. Following these simulated attacks, the pen testers and cybersecurity red teams work with the network defenders to take steps to plug any security gaps that have been identified and exploited.

Cobalt Strike has also been adopted by many threat actors, including ransomware gangs, for lateral movement within a network. While Cobalt Strike is not a free tool, cracked versions of the software are frequently shared via hacking forums. The use of Cobalt Strike by malicious actors is likely to continue, but some cyber threat actors have recently been observed using another red team penetration testing tool.

Brute Ratel C4 was developed by Chetan Nayak, who previously worked in the red teams at the cybersecurity firms Mandiant and CrowdStrike. Like Cobalt Strike, Brute Ratel includes a range of sophisticated tools for red teamers, but what makes Brute Ratel more dangerous in the hands of malicious actors is it has been developed to be far stealthier and not to be detected by endpoint detection and response solutions and antivirus engines. According to Palo Alto Networks’ Unit 42 team, on May 19, 2022, a sample of Brute Ratel was uploaded to VirusTotal and none of the 56 AV vendors detected it as malicious.

Instead of beacons, Brute Ratel delivers Badgers, which connect to the Command and Control center and receive instructions and commands and communicate previous actions taken on the victims’ system. Brute Ratel is not cheap – costing $2,500 for a one-year license – but that is a small cost to pay considering how useful the tool is. Safeguards have been set up to limit availability to legitimate businesses, such as requiring a business to verify its identity using a business email address, and checks are also conducted on the individual’s work history. The license will only be issued if the verification checks are passed.

However, according to the developer in a conversation with Bleeping Computer, the license was leaked by a disgruntled employee of one of its clients. The post-exploitation tool has since been used by the Conti ransomware gang, and attacks using the tool are believed to have been conducted by the Russian state-sponsored hacking group tracked as APT29 (The Dukes/CozyBear). It is thought that one way that the malicious actors could be getting get around the verification checks is by creating fake US companies.

Author: NetSec Editor