BleepingComputer reports that more ransomware groups and hacking operations have been using the Brute Ratel threat simulation tool instead of Cobalt Strike to conceal their attacks from antivirus and endpoint detection and response systems.
Nearly all security systems were unable to identify Brute Ratel, or BRc4, as malicious in the wild, according to a report from Palo Alto Networks' Unit 42 threat intelligence unit. Russian state-backed hacking operation APT29, also known as CozyBear or Dukes, has been suspected to be associated with attacks leveraging Brute Ratel for the distribution of malicious ISOs with an attached rsum file that will load Brute Ratel to facilitate remote device access and command execution.
While Brute Ratel developer Chetan Nayak, who was a red teamer at CrowdStrike and Mandiant, noted that attackers behind the new campaign have acquired the software license from a leak by an aggrieved employee, AdvIntel CEO Vitali Kremez said that former Conti ransomware members have been establishing phony U.S. companies to secure software licenses.
"The criminals behind the former Conti ransomware operations explored multiple penetration testing kits beyond usage of Cobalt Strike... To get access to the Brute Ratel licenses, the threat actors create fake US companies which are used as part of the verification process," added Kremez.
Officials at the City of Augusta, Georgia, have been noted by Mayor Garnett Johnson to have not communicated with the BlackByte ransomware operation that took credit for a cyberattack against the city that commenced on May 21, according to The Record, a news site by cybersecurity firm Recorded Future.
Attacks exploiting a zero-day in the MOVEit Transfer file transfer app to compromise various servers and facilitate data exfiltration efforts have been admitted by the Clop ransomware operation, also known as Lace Tempest, TA505, and FIN11, after the intrusions have been attributed to the group by Microsoft, reports BleepingComputer.