[MART] - Daily Diary #548 - Hackers switch from Cobalt Strike to Brute Ratel

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

07/08/2022 - Diary entry #548:

As mentioned in many of our Daily Diaries, Cobalt Strike is a legitimate security tool that allows security teams to test network defenses against advanced threat actors’ tactics, techniques, and procedures (TTPs). Being stealth and modular, Cobalt Strike beacon is also heavily used as a post-exploitation tool by cybercriminals in a variety of cyber attacks - deploying it in the early stage of an attack to monitor the network, move laterally, launch exploits, and execute other malicious payloads.

Recently, it was noted a tendency of cybercriminal groups to move away from Cobalt Strike, as EDR, antivirus, and other security solutions become more specialized in detecting the beacons. The new tool chosen is the "Brute Ratel" post-exploitation toolkit. Similar to Cobalt Strike’s beacons, Brute Ratel provides “Badgers“, that can be deployed on compromised systems and receive commands from the C&C server.

Brute Ratel is largely undetectable by most cyber security vendors, and is less well known than Cobalt Strike, while providing similar functionality. For this reason, we encourage organizations to be alert to the activity of this tool, using IOCs and file samples from previous attacks.

Kind Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220708/672d2b18/attachment.htm>