Chris Swagler | October 18th, 2022

Researchers discovered several distribution mechanisms when OAKBOT’s malware distribution continued last month after a brief hiatus. SmokeLoader (using the “snow0x” distributor ID), Emotet (using the “axd” distributor ID), and malicious spam using the “BB” and “Obama20x” IDs were among the distribution methods observed. Recently, a case involving the QAKBOT “BB” distributor resulted in the development of Brute Ratel, a framework like Cobalt Strike, utilized as a second-stage payload, which was detected by threat hunters as ‘Backdoor.Win64.BRUTEL’. This is a significant advancement because it’s the first-time threat researchers have seen Brute Ratel in this setting. Additionally, the attack used Cobalt Strike for lateral movement and was attributed to the threat actors behind the Black Basta ransomware.

Brute Ratel is a commercial Adversary Emulation framework that competes with more established players, including Cobalt Strike, and is new to the commercial C&C Framework space. Penetration testing professionals (Red Teams) are marketing adversary emulation frameworks, including Brute Ratel and Cobalt Strike, in legitimate penetration testing activities in which companies look to improve their ability to detect and respond to real cyberattacks. The frameworks are used to simulate the tactics, techniques, and procedures (TTPs) used by threat operators in network intrusions by providing hands-on keyboard access from remote locations. In addition to its legitimate use cases, Cobalt Strike has gained notoriety in recent years for its illicit use and near omnipresence in high-profile, human-operated ransomware attacks. It’s used as a common second-stage payload by Botnets, including QAKBOT (trojanSpy.Win64.QAKBOT), IcedID (TrojanSpy.Win64.ICEDID), Emotewt (TrojanSpy.Win64.EMTET), and Bumblebee (TrojanSpy.Win64.BUMBLELOADER).

However, numerous versions of Cobalt Strike have been leaked in recent years, hastening its malicious use by cyber criminals. Due to its popularity in comparison to Brute Ratel, its detection coverage is greater than the latter. As a result, Brute Ratel and other less established C&C frameworks are becoming increasingly appealing to malicious threat actors, whose activities can go undetected for a longer period. Recently, Brute Ratel has drawn the attention of cyber criminals’ underground threat actors, where they’re actively trading versions of the framework and circulating cracked versions. Brute Ratel’s developers acknowledged the leak in a recent post.

The campaign begins when potential victims receive a SPAM email containing a malicious new URL. The URL landing page provides the recipients a ZIP file with a password. Using password-protected ZIP files is most likely an attempt to avoid analysis by security solutions. The ZIP files only contain one .ISO file and attempt to use the ISO file to defeat the “Mark of the Web (MOTW),” which identifies files as being downloaded from the internet. The files are subjected to additional security measures implemented by Windows and endpoint security solutions. The ISO file includes a visible LNK file with the “Explorer” icon and two hidden subdirectories with various files and directories.

Hidden files are not displayed to the user by default on Windows operating systems. To conceal suspicious-looking command lines, QATBOT employs obfuscation across two script files, a JavaScript (.js) and a Batch Script (.cmd) file. The C&C Infrastructure is geographically distributed across compromised hosts that are primarily located in residential Internet Service Provider (ISP) broadband networks. The QAKBOT operators consider the “Tier 1” C&C Servers disposable and replace them frequently (almost every time there’s a new malware distributed) through some persist across numerous QAKBOT malware configurations. Six minutes after the initial C&C communication, and with the QAKBOT malware running inside an injected process (wermgr.exe), automated reconnaissance in the infected environment is conducted using various built-in command line tools.

The QAKBOT-injected wermgr.exe process drops the Brute Ratel DDL and invokes it using a rundll32.exe child process with the “main” export function five minutes after the automated reconnaissance activities are completed. The backdoor is an HTTPS that connects to the Brute Ratel Server at symantecuptimehost[.]com. Further reconnaissance in the environment is carried out to identify privileged users. The built-in net.exe and nltest.exe are used first. Second, the SharpHound utility is launched by Brute Ratel in an injected svchost.exe process to generate JSON files that are imported into BloodHound (which describes the Active Directory Organizational Units, Group Policies, Domains, User Groups, Computers, and Users). In preparation for exfiltration, the files are compressed into ZIP files. The entire procedure is scripted and takes less than two seconds.

The threat actors chose to use Cobalt Strike for lateral movement. Several beacon files are dropped into the same infected endpoint running Brute Ratel C4, and it’s as follows: C:\Users\Public\Name-123456.xls. The following command is used to execute this beacon file on the same host that is running the Brute ratel C4: rundll32 C:\users\public\Name-123456.xls,DllRegisterServer. They then delete the remaining beacon files and copies them to administrative shares on other hosts on the network, using filenames with XLS attachments once more.

The following command were used to copy the files:

The beacon C&C Servers are listed below:

Before any final actions can be taken, the threat actors are evicted from the environment. Based on the level of access and discovery activities, the most likely outcome is a domain-wide ransom development. Researchers discovered QATBOT using the “Obama” distributor ID prefix and dropping Brute Ratel C4 as a second-stage payload in a recent incident. The malware is delivered as a password-protected ZIP file through HTML smuggling, allowing threat operators to “smuggle” an encoded malicious script into an HTML attachment or web page. The script is decoded, and the payload is assembled once users open the HTML page in the browser. Users are presented with an ISO file after decrypting the ZIP file with the password provided in the HTML attachment. The ISO file contains malicious files which can be used as a bypass for the Mark of the Web.

With QAKBOT reappearing, researchers have noticed numerous variations in the execution chain, ranging from scripting languages to file extensions and using export function names and ordinals. The infection employs the same TTPs as the first kill chain. However, there was one notable difference in the C&C configuration that used DNS over HTTPS (DoH) rather than a more traditional HTTPS C&C Channel. The observed C&C servers used HTTPS with Let’s Encrypt. Threat operators can hide DNS queries from C&C domains by using DoH. DNS queries to the C&C server will go unnoticed if SSL/TLS traffic is not inspected using man-in-the-middle (MitM) techniques.

Based on the findings from the researchers, the QAKBOT-to-Brute Ratel-to-Cobalt Strike kill chain is linked to the group behind the Black Basta ransomware. The findings are from the observation of overlapping TTPs and infrastructure in Black Basta attacks. It’s not the first time that researchers have seen QAKBOT intrusions leading to Black Basta. To blend in with the environment, companies need to watch for the trending use of Cobalt Strike in attacks, living-off-the-land binaries (LOLBins), and red team or penetration-testing tools, including Brute Ratel C4. Additionally, users can protect their systems using managed detection and response (MDR) that uses advanced artificial intelligence to correlate and prioritize threats to determine whether they’re part of larger attacks. It can detect threats before they’re executed, preventing further compromises.

With the constant emergence of new, more sophisticated malware variants and the emergence of unknown threats, having solutions with advanced detection and response capabilities, such as the ShadowSpear Platform, a cutting-edge technology that provides powerful MDR capabilities to collect and correlate data across numerous security layers, including email and endpoints to servers, cloud workloads, and networks. ShadowSpear can detect and prevent attacks while ensuring that other significant incidents go undetected. Companies need to always remain vigilant of the current threat landscape and regularly update their network security posture. At SpearTip, our certified engineers are continuously working 24/7/365 at our Security Operations Center monitoring companies’ networks for potential ransomware threats, including Black Basta, and ready to respond to events at a moment’s notice.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.