Release v1.9 - Eclipse

Brute Ratel v1.9 [codename Eclipse] is now available for download. This update includes enhancements in evasion techniques, anti-debugging measures, and new encryption keying methods for the core, along with an update to the licensing algorithm. Please note that the Ratel server, Commander, and previous versions of badgers are not compatible with v1.8 or older releases due to significant changes in the core architecture.

One of the notable updates you’ll observe upon executing the Commander is the revamped interface for creating listener and payload profiler. This modification aims to enhance user readability and experience. Now, the two new options added to profiler and listener are the killdate and the keying strategy. Unlike the previous versions of bruteratel, wherein an operator had to configure the killdate post the execution of the badger, in this release its been modified to perform the validation of the date prior to the execution of the core. The default validity of the badger is set to 60 days from the generation of the badger, if nothing else has been configured here. You will also see the kill date for each badger in the server logs, when the badger is generated.

The second major update is the keying strategy. Till version 1.8, the badger only supported a custom encryption method which is now known as the default method. This method hardcoded an operator provided encryption key in the badger, which was used to decrypt the core. This meant that it was possible to extract the key from the shellcode, and decrypt the core to build Yara rules. However, with this release there are several new encryption keying techniques in place. A detailed video on the keying mechanism is available for customers in the discord channel.

These keying methods aim to make the extraction of the core harder than before, thus avoiding easier generation of yara rules. Ofcourse, a security solution can build detections on the external shellcode wrapper which executes the core, but the external shellcode wrapper does not trigger any kernel callback or etw which is responsible to initiate the scan for yara rules or opcode patterns, and the wrapper also gets erased once the core is executed, so that there is no trace of the wrapper.

Other updates to this release include:

  1. The killdate feature is now activated prior to executing the implant. The default kill-date is set to two months from the date of badger generation if no configuration is specified.
  2. Implemented new keying and anti-debugging mechanisms to fortify the badger against reverse engineering.
  3. Improved DNS and DOH comms
  4. Updated LDAP Sentinel for bofhound support. Output from LDAP Sentinel can be directly ingested into bofhound for Bloodhound analytics including support for security descriptors
  5. Added raw DNS badger generation in the PayloadProfiler
  6. Staging gets automatically disabled if listener is edited or restarted
  7. Updates for stack spoofing during sleep zero
  8. Updated raw DNS for windows7 and server2012 support
  9. Fixed HTML parsing bug in the UI where angular braces were escaped while printing the command in the badger’s terminal
  10. Added evasion for various yara rules
  11. Updated socks and rportfwd for speed and socket timeouts

These are the only user-operatable changes in this release. Most of the major work was spent on rewriting certain sections of the badger for less footprint, the comm interface for the raw DNS and other internal changes for evasion. Additional information about these features are included in the documentation. The next release (v2.x) will introduce a completely redesigned and lightweight Brute Ratel (server, user interface and badger) from the ground up, marking the conclusion of major updates for the 1.x series. Stay tuned and Happy Hacking.:)