A dangerous post-exploitation toolkit, first used for cybersecurity purposes, has now been cracked and leaked to hacking communities.
The toolkit is shared on many different websites and the potential consequences could be huge as it could fall into the hands of different threat actors.
This can be bad. The post-exploitation toolkit in question, called Brute Ratel C4, was originally created by Chetan Nayak. Nayak is an ex-red teamer, meaning that his job included trying to break the certainties of a certain network, which was actively defended by those of the blue team. Afterwards, both teams discuss how it went and whether there are any security flaws that could be improved.
Brute Ratel was created especially for that purpose. It was created for “red teamers” to use, with the ultimate goal of being able to remotely execute commands on a compromised network. This would then give the attacker access to the rest of the network in an easier way.
Cobalt Strike is seen as a similar tool to Brute Ratel, and that tool has been heavily abused by ransomware gangs, making it quite easy to detect. Brute Ratel hasn’t been that widespread until now, and it has a license verification system that largely kept the hackers at bay. Nayak can revoke the license of any company that turns out to be fake or misuses the tool.
Unfortunately, that is now a thing of the past, as a cracked version of the tool started circulating. It was first uploaded to VirusTotal in its uncracked state, but a Russian group called Molecules was able to crack it and remove the license requirement completely. This means that any potential hacker can now get their hands on it if they know where to look.
Will Thomas, a cyber threat intelligence researcher, has published a report on the cracked version of the tool. It has already spread to many English and Russian speaking communities including CryptBB, RAMP, BreachForums, Exploit[.]in, Xss[.]is, and Telegram and Discord groups.
“There are now multiple posts on several of the most populated cybercrime forums where data brokers, malware developers, initial access brokers and affiliated ransomware hang out,” Thomas said in the report. Speaking to Bleeping Computer, Thomas said the tool works and no longer requires a license key.
Explaining the potential dangers of the technology, Thomas said: “One of the most concerning aspects of the BRC4 tool for many security experts is its ability to generate shell code that is not detected by many EDR and AV products. This expanded window evasion of detection can give threat actors enough time to establish first access, initiate lateral movements, and achieve persistence elsewhere.
Knowing that this powerful tool is out there, in the hands of hackers who should never have been allowed to access it, is absolutely scary. Let’s hope that antivirus software developers can strengthen the defense against Brute Ratel soon enough.