Researchers at Palo Alto’s Unit 42 recently discovered an undetected piece of malware that is packaged in ways that are consistent with tactics used by APT29 (CozyBear). This sample also included a payload for the Brute Ratel C4, a new red-teaming and adversarial attack simulation tool.
This sample was packaged as a self-contained ISO. Included in this ISO was a Windows shortcut (LNK) file that displays a Microsoft Word icon to entice users to execute it. Several other files are included in the ISO but are hidden from view using default Windows Explorer settings. Once opened, the LNK file launches a legitimate copy of OneDriveSetup.exe. However, using a technique called DLL search order hijacking, execution of OneDriveSetup.exe imports an accompanying malicious version of the legitimate Windows DLL “version.dll.” The ISO also contains a non-malicious copy of version.dll, renamed to vresion.dll. The malicious version.dll uses this legitimate version.dll file to pass on normal OneDriveSetup.exe system functions. A file named OneDrive.Update is also included in the original ISO and is a RC4 encrypted and base64 encoded version of a Brute Ratel payload known as Badger. The OneDrive.Update file is executed, Badger is installed, and Command and Control (C2) communication is established.
Brute Ratel is a post-exploitation framework in the same vein as Cobalt Strike. The developer of Brute Ratel reverse engineered several the most popular EDR and AV tools in order to learn how best to evade them. During their research, Unit 42 discovered that none of the AV products used by VirusTotal were detecting the embedded Brute Ratel Badger payload. It employs a number of evasion tactics including stripping DLL MZ headers from process memory space and executing as a thread under the legitimate Windows RuntimeBroker.exe process.