Cybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks

BlackCat Adds Brute Ratel Pentest Tool to Attack Arsenal

Gang Targets Large Corporations Across the US, Europe and Asia
BlackCat Adds Brute Ratel Pentest Tool to Attack Arsenal
BlackCat uses tried-and-true methods, such as attacking vulnerable firewalls and VPNs. (Image: ISMG)

The ransomware gang behind BlackCat ransomware has upgraded its arsenal by adding Brute Ratel, a pen-testing tool with remote access features.

See Also: Live Webinar | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

Threat researchers at Sophos say they've been tracking this ransomware group since December 2021, after being called in to investigate at least five attacks involving the ransomware.

They observed that these attacks occurred across the U.S., Europe and Asia at large corporations operating in different industry segments.

During their investigation, they found the attackers used a PowerShell command to download and execute Cobalt Strike beacons on some affected systems and also discovered that the attackers were using a tool called Brute Ratel, which they say has "Cobalt Strike-like remote access features."

"What we're seeing with BlackCat and other attacks recently is that threat actors are very efficient and effective in their work," Christopher Budd, senior manager, threat research at Sophos, tells Information Security Media Group. He describes how they use tried-and-true methods, such as attacking vulnerable firewalls and VPNs, because these still work. But they also innovate to avoid security defenses - including switching to the newer post-exploitation C2 framework Brute Ratel in their attacks.

The BlackCat ransomware-as-a-service group, which may be a rebrand of the DarkSide or BlackMatter ransomware groups, is also known as Alphv. Its malware is coded with Rust, a programing language known for fast performance and structural protections against some types of bugs. Analysis by cybersecurity firm Varonis shows the group actively recruiting operators with promises that affiliates can keep 90% of victims' payouts.

In June, BlackCat ransomware claimed the University of Pisa as a victim. The ransomware gang reportedly demanded a ransom of $4.5 million after seizing the university's IT system.

The attackers says the ransom is a "discount price" that will increase to $5 million if not paid quickly. An Italian news site shared a screenshot of the alleged ransom note, which contains a clock counting down the minutes until the price jumps (see: BlackCat Attacks University of Pisa, Demands $4.5M Ransom).

Investigation Details

Ransomware groups break into large-scale enterprise networks using BlackCat, and researchers found that the ransomers exploit unpatched vulnerabilities first disclosed in 2018 in firewall/VPN devices. In at least two cases, they have pivoted to internal systems after establishing a foothold from the firewall, the researchers say.

"In two others, the attackers targeted a different firewall vendor's product with a vulnerability that was disclosed last year," they add.

In one incident, however, the investigators found that the vulnerabilities allowed attackers to obtain VPN credentials from the firewall devices and use them to log in to the VPN as authorized users.

"None of the targets used multifactor authentication for these VPNs. The one outlier appears to have been a spear-phishing attack that revealed an internal user's VPN login credentials to the attackers," says Andrew Brandt, principal researcher at SophosLabs. "Once inside the network, the attackers predominantly used RDP to move laterally between computers, conducting brute-force attacks over the VPN connection against the Administrator account on machines inside the network."

The ransomware executable can spread itself laterally to Windows machines and is designed to target VMware ESXi hypervisor servers.

In another case, Sophos incident responders removed a compromised VPN account from the firewall and created a new credential combination. The researchers observed that the attackers ran the same exploit for the second time and were successful in extracting the newly created credential combination and they continued attempting to encrypt machines.

Using Remote Access Tools

Upon gaining the foothold into a network, the attackers install various remote access utilities in a system available in the network, which gives them backup methods to remotely connect to the targets' networks.

Sophos investigators found that the attacker used commercially available tools such as AnyDesk and TeamViewer and also installed nGrok, an open-source remote access tool.

"The attackers also used PowerShell commands to download and execute Cobalt Strike beacons on some machines, and a tool called Brute Ratel, which is a more recent pen-testing suite with Cobalt Strike-like remote access features," Brandt says.

Sophos researchers found that the Brute Ratel binary was installed as a Windows service named wewe in an affected machine.

One of the bigger challenges for the Sophos investigators was that some of the targeted organizations were running the same servers that were compromised using the Log4j vulnerability.

Apart from ransoming systems on the network, the threat actors collected and exfiltrated sensitive data from the targets and uploaded large volumes of data to Mega, a cloud storage provider.

The attackers used a third-party tool called DirLister to create a list of accessible directories and files, or in some cases used a PowerShell script from a pen tester toolkit, called PowerView.ps1, to enumerate the machines on the network. In some cases, they also used a tool called LaZagne to extract passwords saved on various devices, the researchers say.

Upon collecting the files, threat actors used WinRAR for compression of the files into .rar archives and used rsync for uploading the stolen data.

The researchers say that they found evidence that the attackers had penetrated the network months before they began investigating this case. They also saw that the attackers had installed "cryptominer software on 16 servers inside the company network in early November."


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent, ISMG

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.