top of page

Hackers successfully use Brute Ratel C4

According to research by Palo Alto Networks, although Cobalt Strike has been the most widely used tool to gain remote access to organizational endpoints, the Brute Ratel C4 payload (called "badger") is somewhat less well detected by antimalware vendors as a malicious tool. Even more, the techniques used by Brute Ratel are specifically designed to evade detection by antimalware and EDR tools. This includes in-memory payload as well as DLL API proxying to legitimate DLLs.

Brute Ratel's line of attack is apparently successful, as one of the files delivering the Brute Ratel C4 payload - a remote access payload similar to Cobalt Strike's Beacon - was not initially flagged as malicious by the security tools used by VirusTotal.

There are ransomware groups interested not only in using Brute Ratel, but also in setting up fake companies so they can buy licenses to use it.

Read attack details at Help Net Security.


Latest news

bottom of page