Release v1.4 (Blitzkrieg) - Reflection In a Nut Shell

Brute Ratel v1.4 codename Blitzkrieg is now available for download. This release brings in a few new features, updates to EtwTI evasion techniques, and user experience (QOL) requested by the BRc4 community. A quick summary of the changes can be found in the release notes.

Pricing and Support

Before we dive into the feature updates, an important announcement I would like to highlight is the change in pricing. The year 2022 was a great year for Dark Vortex as we crossed the 600 customer mark. Brute Ratel has always followed the strategy to keep the cost at minimum while still providing utmost stability and cutting-edge research to avoid detection against EDR and Antivirus. Various releases in the past year saw heavy changes to Brute Ratel’s core to adapt the several detection techniques brought in by EDRs such as threat intelligence based detections via ETW, hooking of library loads, hooking syscalls via Syscall Enter event tracing, detections to sleep masking and more. To perform these types of research, we need access to various EDRs and understand how they detect the payloads. We were able to achieve evasion by reversing some EDRs provided to us by our customers, or by purchasing some EDRs ourselves. Apart from just building Brute Ratel, we also have to continously monitor for malicious usage of the product, continous changes to the encryption methods for licensing to make it hard for anyone to crack the product licensing, and also the licensing on the QT-GUI part all of which come at a cost. Keeping all of this in mind, the price of Brute Ratel is now increased from 2500 US$ to 3000 US$ for all new purchases starting from February 1st 2023 and all renewals starting next year will also cost the same. However, for our existing valuable customers, the renewal costs would stay the same i.e. 2250 US$ for this year. For customers who have already subscribed to a multi-year license, they will be unaffected till their next renewal. Make note that the pricing is inclusive of all taxes and is still lower than it’s competitors, while still providing more features, instant Discord/Google Meet support and reliability.

PE Reflection (not RDLL)

The first major feature update is reflection of unmanaged executables. Badger can run any unmanaged executables compiled in Clang or Mingw within its own memory. This helps to avoid process creation events or creating new process as a whole. This feature of running executables instead of reflective DLLs in-memory was first introduced in release v1.1 and before that in a blog that I posted quite a while back Executing Shellcode from Object Files/PE. However, implementing this feature without making changes to msvcrt.dll’s function was a bit of a challenge. Some executables call ExitProcess when they return, and the entrypoint of executables are usually mainCRTStartup from msvcrt.dll instead of ‘int main()’ or ‘void main()’. This meant that the badger should be capable of handling the Exits and it should not exit itself when the in-memory executable process returns. One way to pass commandline argument to the in-memory process’s mainCRTStartup was patching a few functions from msvcrt.dll, but that boat is long passed for Brute Ratel as we don’t like patching things in memory in order to avoid getting caught. All of this is now possible with badger with the introduction of the memexec command.

The memexec command can run any console executable in memory and return the output of the executable using a custom in-proc-console-reader. Below are the screenshots of running mimikatz and a few other sysinternals tool:

Executing mimikatz.exe coffee command in memory:

Executing handle64.exe executable from sysinternal toolkit to list open lsass handles:

Executing accesschk64.exe executable from sysinternal toolkit to check object access:

These are just simple examples to run various executables in memory and brings us a full round circle with all types of reflection in Brute Ratel.

Socks5 with UDP Support

The earlier Socks4 in Brute Ratel is now upgraded to provide full support for socks4a and socks5. An operator can now select whether to use Socks4a or Socks5 when starting the socks proxy server. There is also support for UDP, DNS resolution and Socks5 authentication. The socks technique in BRc4 has undergone several changes and is now a part of the core badger itself unlike earlier where the socks client in BRc4 made a seperate HTTP connection. This ofcourse removes the capability of a seperate socks profile which was present earlier, but at the same time provides more stealth as the new Socks implementation supports using socks while sleep masking is active.

The below video summarizes all the features for this release.

Adhoc Updates

There are several other backend updates which are provided to the badger and the user interface apart from the major features above:

  • Added ‘note’ feature to Commander which can display a note against each badger in the badger’s tab
  • Added ‘clear_q’ command to badger’s terminal to clear commands in queue
  • Added heavy updates for EtwTI evasion
  • Improved command-line parsing for sharpinline, coffexec, loadr and other arguments which execute C#/BOF or reflective DLLs
  • Badger’s external IP in the Commander will now show CF-Connecting-IP or X-Forwarded-For in the Commander if added
  • Added option in Commander to hide badger columns which are saved on the operator’s system

Starting from this year, there will only be one major release per month, and the rest of the releases will be minor features updates or bug fixes/QOL.