Brute Ratel v2.0 [codename Metamorphosis] is now available for download. This release introduces significant changes compared to previous versions, so it’s strongly recommended to review this blog, the private videos, and the documentation before using it. The Badger component has undergone extensive rewrites, featuring major updates in evasion tactics and new functionalities. The server has been optimized for speed and efficiency, with significant improvements to the licensing algorithm, ensuring each license is linked to a specific host to prevent misuse. However, the license can still be transfered from one host to another while deactivating the previous one. Additionally, several minor updates have been made to the Commander, which operators will notice during operation.
NOTE: This release is not compatible with any older releases. Neither the server, badger or the commander will be compatible. It is important to note the changes in this release before deploying them in production.
Before we dive into the various changes in this release, let us first understand why the changes were required. It is common knowledge that with the rising popularity of Brute Ratel, several organizations, large and small are inclined to purchase the product for red teams. As much as this is beneficial to Dark Vortex, this also brings in a few licensing problems. Several measures were taken to tackle this issue.
A single Brute Ratel license permits use by only one user. According to the EULA, this license allows deployment on up to three servers: two public-facing servers and one for a local test-dev environment. This arrangement is based on my experience during red team assessments, where typically, a short haul server, a long haul server, and a test server configured to match the target infrastructure are sufficient for a single red team operation. If multiple red teams are being performed by an organization with multiple people, then multiple licenses would need to be purchased. However, it has been observed that some organizations were purchasing a single-user license and deploying it on a large scale, allowing multiple users to connect and operate on the server. To address this, the latest release of Brute Ratel strengthens the licensing algorithm to tie each license to the specific host on which it is activated. This is enforced through hardware checks on the host, ensuring that a license activated on one host cannot be copied to another. To activate Brute Ratel on a new host, the downloaded package must be transferred to the new host and activated there. This measure prevents the activation of the package on one host and its subsequent transfer to multiple other hosts. We recognize that this change poses a challenge for offline usage of the package. However, with this release, we are moving away from supporting offline activation due to potential misuse. Brute Ratel is designed for use by red teams, and not for offline penetration testing or use on HackTheBox machines, as has been observed with some customers. We remain committed to this intended use.
Another strategic change in the sale of Brute Ratel is the decision to identify and sell the product only to organizations with experience in Red Team operations or a solid understanding of Windows internals. This change is due to instances where users lacked the necessary skills to effectively use Brute Ratel, expecting it to be a point-and-shoot tool, thereby compromising the integrity of the implants and ending up providing samples with zero opsec to security organisations. Brute Ratel IS NOT and WILL NEVER BE a point-and-shoot tool. Such tools are not suitable for Red Teams. While Brute Ratel includes official support for evasion and each release incorporates new evasion techniques tested with over 10 EDR software solutions, it is essential to understand that the operator is responsible for writing the loader, selecting the appropriate configurations, utilizing its malleability, configuring the stomped module, and stack configurations (described below), among other tasks. Brute Ratel offers the necessary options for configurations and builds shellcode based on these configurations, but safely executing the shellcode remains the operator’s responsibility. In light of this, we have decided to cease renewals and reject sales to organizations where operators lack knowledge or the willingness to learn about Red Teams (more emphasis on willingness to learn), and instead seek a tool that performs all tasks with a single click.
The majority of the badger has been rewritten in this release to enhance evasion capabilities and update the architecture. Here are some of the key changes without delving too deeply into the internals:
A more detailed version of the updates and their usage is available in the offline documentation.
The core changes mentioned in the strategic policies above apply to the Ratel Server. Apart from these, several user requested features have been added.
The latest release of Commander focuses primarily on quality of life (QoL) enhancements. Below are the key updates:
These updates aim to enhance the overall user experience by simplifying processes and reducing potential errors.