Evasive PenTesting Tool linked to Russian Hacking Group
Source: Palo Alto Networks Unit 42
The Security Researchers at Palo Alto Networks have recently disclosed their findings regarding a near undetectable malware sample that is linked to the Russian Hacking Group APT29, also known as Cozy Bear. The sample contained a malicious payload associated with Brute Ratel C4 (BRc4), the newest red-teaming and adversarial attack simulation tool to hit the market.
This is uniquely dangerous as the BRc4 tool was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities. Its effectiveness at doing so can clearly be witnessed as it received a benign verdict from all 56 vendors on the popular website VirusTotal.
In terms of C2, researchers found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443. Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of “Microsoft” and organization unit of “Security.” Additionally, pivoting on the certificate and other artifacts, the team identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.