The BlackCat ransomware group has deployed a new binary to help with its intrusion efforts, according to security company Sophos. The company has discovered it is using Brute Ratel, a penetration testing suite that includes remote access features for attackers.
Several Sophos customers have called the company out to investigate BlackCat ransomware infections. The new analysis found the group is exploiting unpatched firewalls and VPNs to internal systems.
The attackers used vulnerabilities reported as early as 2018 to read memory from VPN systems and then log in as an authorized user. They dumped domain controller passwords along the way, using the latter to create accounts with administrative privileges. They then ran a scanning tool (netscanportable.exe) to find additional targets and then spread internally via RDP. The attacks targeted both Windows machines and ESXi hypervisor servers.
The cyber-criminals used PowerShell as a key tool in their compromises, downloading Cobalt Strike beacons and Brute Ratel, which they installed as a Windows service called wewe.
Alongside Brute Ratel, the attackers also used the AnyDesk and TeamViewer commercial remote access tools, and an open-source tool alternative called nGrok.
Each attack used a custom ransomware binary that encrypted files and delivered a unique ransom message for each target with a link to the group’s Tor service. The binary required a 64-bit access token before it would run.
BlackCat also scoured the victims’ networks for sensitive data, often using a PowerShell script to find machines on the network. It compressed the files using WinRAR and then uploaded them to their own servers. In some cases, they simply used a Chrome browser for the upload, Sophos said.
Brute Ratel’s creators market it as a customized command and control center for red teaming and adversary simulation, but like Cobalt Strike, it has a dual use - attackers can use it to compromise victims’ sites.
Palo Alto Networks’ Unit 42 research team found malicious actors using Brute Ratel earlier this month. The team called it uniquely dangerous, given its ability to avoid endpoint detection and antivirus tools. Unit 42 found Brute Ratel as part of a sample uploaded to malware scanning site Virus Total, which dodged detection by 56 antimalware vendors. The tool’s users exhibited behavior similar to Russia’s APT29 hacking group, said the Unit 42 report.
Earlier this week, cybersecurity researchers from Resecurity said they have detected a substantial increase in the value of ransom demand requests by the BlackCat ransomware group.