🌟New report out today!🌟
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion
➡️ Fake tax form JS (Lunar Spider) → Brute Ratel
➡️ Latrodectus → Cobalt Strike → BackConnect → .NET backdoor
➡️ Cred theft: LSASS, browsers, plaintext DA creds
➡️ Rclone exfil 20 days in
➡️ Nearly 2 months of C2 before eviction — no ransomware, just deep persistence.
#DFIR #ThreatIntel #BruteRatel #CobaltStrike #IncidentResponse #DFIR
Una nueva #vulnerabilidad crítica de #SAP #NetWeaver está siendo explotada para cargar #webshell a través de #BruteRatel Framework
https://blogs.masterhacks.net/noticias/hacking-y-ciberdelitos/nueva-vulnerabilidad-critica-de-sap-netweaver-esta-siendo-explotada-para-cargar-web-shell-a-traves-de-brute-ratel-framework/
The payload itself is classified as #brutel / #Latrodectus / #BruteRatel :
https://www.virustotal.com/gui/file/6ab1bee44804b0821933c7b20bbdc92deb6a21fd587a51d43761ba1500c2149d/behavior
Finally we also witnessed in the wild one of those #ClearFake / #ClickFix bait delivered per email as reported by Proofpoint in June - ending with a #brutel / #Latrodectus / #BruteRatel
payload https://www.proofpoint.com/au/blog/threat-insight/clipboard-compromise-powershell-self-pwn
Latrodectus dropped by BR4
#Latrodectus #BruteRatel
https://blog.krakz.fr/articles/latrodectus/
Latrodectus Affiliate Resumes Operations Using Brute Ratel C4 Post Operation Endgame
#Latrodectus #BruteRatel
https://blog.reveng.ai/latrodectus-distribution-via-brc4/
In the part two blog, Rapid7 provides a technical analysis of the typo squatted malvertising, PowerShell scripts, RAR contents, and the IDAT Loader. IOC provided. 🔗 https://www.rapid7.com/blog/post/2024/04/10/stories-from-the-soc-part-2-msix-installer-utilizes-telegram-bot-to-execute-idat-loader/
Rapid7 published a blog post (first of a two-part blog series) on a case study of IDAT Loader malware being distributed via a FakeUpdates campaign. The final payload is a Brute Ratel C4 badger. Rapid7 describes the attack chain, provides a technical analysis of the IDAT Loader, and provides IOC, MITRE ATT&CK TTPs and known sandbox usernames and analysis tools 🔗 https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel/
The units "ngrams" and "bruteforce" can be used to do rudimentary brute forcing. The latter is a #FlareOn10 product, but the former came about when I was too lazy to find the 8-byte RC4 key for a #BruteRatel badger config in a memdump. Trying all 8-grams is surprisingly feasible!
[Threatview.io] ⚡🌀 Our proactive hunter C2 scan telemetry indicate 13.82.141[.]216 hosting #BruteRatel C2 on port 443 since atleast 07 July 2022 till date.
🏆The oldest #BruteRatel we have
🗓️11 Months 🤯
Happy Monday, folks! It's time to shake off the cobwebs, so strap yourselves in and get your reading glasses out - here's a wrap-up of the week's infosec news, just for you: https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe
Australia's mandatory reporting laws for Critical infrastructure operators got its first win last week, with the CISC revealing 47 cyber incidents were reported in the 8 months to December last year. Congrats, but what does that actually mean?
#GoDaddy finally twigged to a multi-year compromise of their networks, after users reported odd redirects impacting their website visitors. Turns out they'd likely been owned since at least March 2020, and appear to have failed to evict the attackers at least twice.
Havoc is the latest C2 framework to be thrown in anger, this time against a government target and in a multi-staged delivery chain which featured several evasive measures. Seems like Sliver and Brute Ratel may soon be in good company!
Symantec researchers have unearthed Frebniis - a stealthy IIS backdoor novel for it's hooking of a legitimate feature to covertly intercept attacker tasking.
A number of critical bugs in #Fortinet, #Apple, and #Citrix have been squashed - just make sure you know which ones, and apply those patches!
#redteam members are in for a treat, with a new Nim-based implant to play with and the OffensivePipeline tool to help automate obfuscation.
The #blueteam can look forward to a detailed look at attacks on #ESXi and how to mitigate it, as well as Hunt recommendations for evilginx2, and an update to Microsoft #Defender for Identity to help identify #ADCS abuse.
As always, there's literally dozens more research articles on threat actor activity and tradecraft that I can't summarise here, so make sure you take a look at this week's issue of SOC Goulash and get yourself up to speed!
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-4fe
#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #SliverC2 #BruteRatel #criticalinfrastructure
Okay. I get it. #CobaltStrike is indeed the Gold Standard of C2 Post-Exploitation. Followed by #BruteRatel But are you aware that a lot of open-source frameworks are catching up? As long as you are willing to deal with breakages and working around bugs, you can do the same thing, including but not limited to Malleable C2 Profiles, fork-and-run techniques, no-PowerShell PowerShell commands, etc.
What do y'all think about a #C2 detection series including #SecurityOnion and #Velociraptor, illustrating the compliments and differences of host and network-based detection and response?
#BruteRatel
#CobaltStrike
#DFIR
#ESM
#Havoc
#Infosec
#NSM
#Sliver
#Sysmon
Cool feature coming soon to Brute Ratel 1.4:
“…can use…any tool written in Clang/GCC in the memory of your own payload”. That would be a huge win because having to rewrite every BOF to be compatible with BRC4 is a gigantic pain and effectively eliminates one of the biggest benefits to BOFs…reuse.
#BruteRatel #BRC4 #BOF
