Threat actors capitalize on red team tool capable of bypassing EDR, antivirus | #emailsecurity | #phishing | #ransomware


This audio is auto-generated. Please let us know if you have feedback.

Dive Brief:

  • Threat actors are deploying a highly dangerous red teaming tool, capable of bypassing antivirus and endpoint detection and response (EDR) protections, researchers from Palo Alto Networks Unit 42 said Tuesday. 
  • A malware sample uploaded to VirusTotal on May 19 contained a malicious payload Brute Ratel C4, which Unit 42 says is comparable to Cobalt Strike in the level of sophistication. 
  • The sample was undetectable and received a clean bill of health from all 56 vendors that evaluated it, according to Unit 42 researchers. 

Dive Insight:

The red team tool was originally launched in December 2020 by Chetan Nayak, a security researcher who operates under the name Paranoid Ninja, according to Unit 42 researchers. After making incremental improvements, a new version Brute Ratel v0.9.0 was released in January. 

The release description claimed the new version was developed after reverse engineering top tier EDR and antivirus dynamic-link library (DLL) products, according to the blog. In May, Patel claimed the tool had 350 customers and more than 480 licenses. 

“This tool is specifically designed to evade modern EDR products, making it dangerous and difficult to detect,” Pete Renals, principal researcher at Unit 42, said via email. “The tool itself provides a user with remote access to a target system.”

A penetration testing firm likely packaged a sample using techniques similar to APT29, according to Renals.

“The idea of red team tools can be controversial in the information security community,” Haris Pylarinos, CEO of Hack the Box, said via email. “On the one hand, they can be and are abused by malicious actors to exploit and damage innocent targets.”

However the benefits of these tools outweigh the costs, he said.

The access can be leveraged as an initial foothold, allowing a user to then move laterally, conduct exfiltration or engage in other malicious activity. 

Researchers have so far identified at least three victim organizations associated with a malicious actor: an Argentinian organization, an IP television company providing North and South American content and a major textile manufacturer in Mexico.



Original Source link

Leave a Reply

Your email address will not be published.

+ twenty eight = thirty five