State-sponsored hacking group has found a novel way to evade detection by using a rather controversial pentest tool called Brute Ratel C4 (BRC4). According to a recent report published by Palo Alto Networks' Unit 42 threat intelligence team, this piece of malware currently evades 56 antivirus products.

In May 2022, the researchers discovered a malware which contained a malicious payload that was created using the Brute Ratel C4 tool. Developers describe it as “A Customized Command and Control Center for Red Team and Adversary Simulation.” They claim that they have reverse-engineered “several top tier EDR and Antivirus DLLs.”

The attack chain begins with a fake CV of someone named Roshan Bandara. The CV is in form of an ISO file which is very unusual for the documents of this kind.

“The ISO file is not malicious and requires a user to double-click, which mounts the ISO as a Windows drive. Finally, the archived files of the ISO are displayed to the user,” reads the report.

Obviously, the ISO file is not a CV. When double-clicked, it opens CMD.EXE and runs the OneDrive Updater, which retrieves and installs BRC4.

The described technic closely resembles that of an APT group, namely APT29. This threat actor also known as Cozy Bear is believed to be linked to the Russia’s intelligence services.

“The composition of the ISO file, Roshan_CV.ISO, closely resembles that of other nation-state APT tradecraft. The following table shows a side-by-side comparison of Roshan_CV.ISO and that of a previously identified APT29 sample (Decret.ISO),” said the researchers.