Brute Ratel Deployed by BlackCat Ransomware operation

The BlackCat ransomware group has deployed a new binary Brute Ratel, a penetration testing suite with remote access to help with its intrusion efforts

The analysis results shown that the group is exploiting unpatched firewalls and VPNs to internal systems. The attackers used older report vulnerabilities discovered in 2018 to read memory from VPN systems and then log in as an authorized user.

Passwords from Active Directory DC has been dumped, using the latter to create accounts with administrative privileges. They then ran a scanning tool  to find additional targets and then spread internally via RDP attacking both Windows and ESXi servers.

PowerShell has been used as a key tool by which, downloaded Cobalt Strike beacons and Brute Ratel, which they installed as a Windows service called wewe. The attackers also used the AnyDesk and TeamViewer commercial remote access tools, and an open-source tool alternative called nGrok.

Customized ransomware binary  has been used in each attack that encrypted files and delivered a unique ransom message for each target with a link to the group’s Tor service. The binary required a 64-bit access token before it would run.

BlackCat searched the victims’ network for sensitive data, often using a PowerShell script to find machines on the network. It compressed the files using WinRAR and then uploaded them to their own servers.

Brute Ratel’s creators market it as a customized C2C for red teaming and adversary simulation, but like Cobalt Strike, it has a dual use – attackers can use it to compromise victims’ sites.