A recent Is Microsoft Defender for Endpoint Security good enough (BRc4) in order to find ways to evade detection and successfully penetrate supposedly secure networks. The report states that these unidentified threat actors managed to deliver the BRc4 “badger” payload for remote access, which was not flagged as malicious by most existing security tools.
Threat Actors Now Use Adversary Simulation to Evade Endpoint Security
Read also: TunesKit AceMovi Video Editor
Adversary simulation can be useful for both security defenders and malicious actors. The tools available to cybersecurity professionals can be used by adversaries to overcome defenses.
Defeating endpoint security?
Endpoint security solutions have not become useless after the Brute Ratel C4 tool was used in an attack. The lack of detection of the malicious payload only lasted for a brief period before security controls were updated.
Many endpoint security solutions share cyber threat intelligence globally which helps ensure that newly discovered attacks are promptly communicated. This allows all concerned parties to implement the necessary updates and be able to detect existing and new attacks effectively.
Some security products do better than others at detecting anomalous payloads, according to a report. There is nothing unusual about that, as security vendors have different capabilities in dealing with zero-day assaults or threats that have not been added yet to their threat intelligence centers.
How the role of ‘BRc4 simulation was discovered
One of the malicious files that evaded detection was an ISO file that appeared as a CV submission. If the target double-clicks on this deceptive file, the command prompt is launched along with OneDriverUpdater.exe.
Then, a modified Version.dll file loads an encrypted payload file called OneDrive.update, which is then decrypted and loads the first stage of shellcode. This code is run as a Windows thread in RuntimeBroker.exe and starts to get in contact with the IP 174.129.157[.]251 on TCP port 443.
A malicious file called badger_x64.exe that communicates with the IP 159.65.186[.]50 on port 443 was discovered. This made it possible to identify potential victims of the breach in North and South America.
Researchers who studied a new scheme found that the malicious files communicate with IP addresses that use self-signed SSL certificates, which impersonate Microsoft Security. They also found that there were further attempts to contact dozens more IP addresses and seven samples of BRc4.
The researchers explained that currently, 12 vendors identify the sample as malicious, with eight classifying it as “Brutel.” This further supports that our in-memory code is somehow associated with that of Brute Ratel C4.
Moreover, the way in which an ISO file is used resembles the way that APT29 or Cozy Bear works. This has led researchers to suspect that the threat actors may be using BRc4 to generate their anomalous payloads. Although this is just a suspicion at this stage, a number of researchers are reportedly considering the possibility that threat actors are using the Brute Ratel tool to aid their attacks.
From Cobalt Strike to Brute Ratel
The use of an adversary simulation and red teaming solution, such as Cobalt Strike, is not new. However, ransomware operators and other cybercriminals have reportedly been sharing cracked versions of this simulation tool to attack corporate networks and spread malicious files laterally.
Threat actors are shifting to Brute Ratel, which is more powerful and sophisticated than Cobalt Strike.
Security researchers characterize Brute Ratel as “uniquely dangerous.” According to researchers, it is a solution particularly created to get around endpoint detection and response (EDR) and antivirus functions to help security teams in bolstering their defenses. However, it is now apparently also serving the interests of threat actors.
A well-intentioned cybersecurity product
The creator of Brute Ratel, Chetan Nayak, has expressed willingness to cooperate with those who are working to address the emerging threat of adversary simulation tools.
Before selling the Brute Ratel tool to users, Nayak says that there is some vetting process undertaken to make sure that it is not being misused or abused. “We only sell the product to registered companies and individuals with an official business email address/domain after verifying the business and the person’s work history,” Brute Ratel’s website indicates.
However, the website for Brute Ratel insists that using the tool for malicious activities is not authorized. If we find that the software is being used for malicious activity, the company says, it will cancel the license and provide help to law enforcement.
What needs to be done
It is practically impossible to ascertain that only legitimate companies or individuals get access to the Brute Ratel adversary simulation and red teaming solution. Cybercriminals will always find ways to get what they want.
What can be done is for EDR vendors and cybersecurity solution providers, in general, to update their services to enable the detection of all Brute Ratel activities and take proactive measures against the threats it can pose. The security researchers who exposed this new threat have already shared the IoCs and file samples related to this new threat. Cybersecurity firms need to update their systems in response.
Endpoint security providers should be contacted to ensure that their security solutions are able to detect Brute Ratel activity, and enterprises and other users of endpoint security solutions are advised to update their security systems as soon as possible.
Additionally, since MITRE ATT&CK has already mapped this new threat, it would help for organizations to integrate this framework or use security validation platforms that incorporate MITRE ATT&CK as part of their security posture.
Is Microsoft Defender for Endpoint Security good enough?
Windows Defender is a decent defense against endpoint attacks, but Microsoft has not released any information on its ability to catch Brute Ratel activity. However, there are reasons to believe that Microsoft is already working on it or has already put out an update.
Microsoft is one of the users of the MITRE ATT&CK framework. Microsoft Defender for Endpoint undertook the MITRE Engenuity ATT&CK Evaluation and emerged as one of the industry leaders when it comes to stopping advanced endpoint attacks across different platforms.
The recent discovery of the Brute Ratel threat proves how ingenious cyber criminals can be. They can turn tools that are meant for cyber protection into tools that can break through defenses. Fortunately, the cybersecurity community is full of collaboration, frameworks, tools, and generous experts who are willing to share their latest findings and solutions. It is up to organizations and other potential cyber attack targets to use these to their advantage.