6 July 2022

Researchers uncovered undetectable malware linked to Russia's APT


Researchers uncovered undetectable malware linked to Russia's APT

State-sponsored hacking group has found a novel way to evade detection by using a rather controversial pentest tool called Brute Ratel C4 (BRC4). According to a recent report published by Palo Alto Networks' Unit 42 threat intelligence team, this piece of malware currently evades 56 antivirus products.

In May 2022, the researchers discovered a malware which contained a malicious payload that was created using the Brute Ratel C4 tool. Developers describe it as “A Customized Command and Control Center for Red Team and Adversary Simulation.” They claim that they have reverse-engineered “several top tier EDR and Antivirus DLLs.”

The attack chain begins with a fake CV of someone named Roshan Bandara. The CV is in form of an ISO file which is very unusual for the documents of this kind.

“The ISO file is not malicious and requires a user to double-click, which mounts the ISO as a Windows drive. Finally, the archived files of the ISO are displayed to the user,” reads the report.

Obviously, the ISO file is not a CV. When double-clicked, it opens CMD.EXE and runs the OneDrive Updater, which retrieves and installs BRC4.

The described technic closely resembles that of an APT group, namely APT29. This threat actor also known as Cozy Bear is believed to be linked to the Russia’s intelligence services.

“The composition of the ISO file, Roshan_CV.ISO, closely resembles that of other nation-state APT tradecraft. The following table shows a side-by-side comparison of Roshan_CV.ISO and that of a previously identified APT29 sample (Decret.ISO),” said the researchers.

Back to the list

Latest Posts

Argentina's Judiciary of Cordoba targeted with ransomware

Argentina's Judiciary of Cordoba targeted with ransomware

The incident described as “worst attack on public institutions in history” impacted the agency’s website, digital services and databases.
16 August 2022
Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

Microsoft disrupts Russian espionage hacker group targeting NATO countries and Ukraine

The group’s targets include defense and intelligence consulting companies, NGOs, IGOs, and higher education institutions.
16 August 2022
Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

Russia-linked Gamaredon is continuing to target Ukrainian orgs with info-stealers

In the observed campaign the attackers leveraged a self-extracting 7-Zip file, which was downloaded via the system’s default browser.
15 August 2022