Brute Ratel, Advanced IP Scanner, and NetSupport RAT

Brute Ratel is a customized command and control center that was created for red team and adversary simulation (1). Brute Ratel has a similar framework to Cobalt Strike, and is often deployed as a second-stage payload for further malicious activity.

While Brute Ratel was originally developed and is intended for legitimate penetration testing activities, Brute Ratel and similar tools are often abused by threat actors due to the ability to blend into normal traffic and the ability to provide persistent remote access.

In fact, Brute Ratel is most known for its use by the Qakbot and Black Basta ransomware operators (2).

The APG predicts that threat actors will likely continue to deploy and abuse Brute Ratel over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external incident reports that detail the use of Brute Ratel.

Brute Ratel is reportedly specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus capabilities and its effectiveness is likely a leading reason for the attractiveness of the tool for threat groups.

Brute Ratel was also likely advertised on dark web forums and marketplaces as a Cobalt Strike alternative – and consequently rose in popularity – as Cobalt Strike detections by defenders have increased significantly, due to previous threat actor overuse.

• In 2022, a cracked version of the Brute Ratel C4 was observed being advertised on English-speaking and Russian-speaking cybercriminal forums (3).

 

• In 2022, security researchers with Palo Alto reported an incident where an obtained sample contained a malicious payload associated with Brute Ratel C4 (4).
  • The researchers indicated that the sample was packaged in a manner consistent with observed APT29 techniques.
• In 2022, security researchers with Trend Micro reported a Qakbot malware incident that led to the deployment of the Brute Ratel tool and eventually the Black Basta ransomware (3).
  • Aligned with observed data exfiltration operation in Black Basta reported incidents, Trend Micro’s observed threat actors ran the SharpHound utility via Brute Ratel; SharpHound is the official data collector for the BloodHound utility.

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of Brute Ratel.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software suspicious installations or abnormal methods, identifying threat actor behaviors.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities (and few end users have legitimate operational justifications to have such permissions).
• Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities.
• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access – including to install malware and tools such as Brute Ratel –  security training can help lower the risk of end users accidentally downloading malicious software… or even legitimate tools for malicious actions.

Advanced IP Scanner is a free network scanner used by system administrators and threat actors alike to analyze local area networks (LANs) and provides the following functionality (5):

• Shows all network devices,
• Gives access to shared folders,
• Provides remote control of computers, and
• Can remotely switch off computers.

Between Advanced IP Scanner’s ability to execute as an installer, its portable version, and its extensive capabilities, the tool has been adopted by both cybercriminal operations and APT groups,(8).

Specifically, threat actors abuse Advanced IP Scanner’s active scanning feature set during the reconnaissance attack phase prior to infiltration (6), and its network service scanning during their discovery phase after their initial compromise of a victim environment (7).

The APG predicts that threat actors will likely continue to deploy and abuse Advanced IP Scanner over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external reporting related to the use of Advanced IP Scanner tool during reported cyberattacks.

Blackpoint’s APG has tracked at least 13 ransomware operations that have abused the Advanced IP Scanner tool for various activities during reported cyberattacks, including:

• Akira
• INC Ransom
• Phobos
• Makop
• Trigona

The APG’s observations and tracking of threat actor use of Advanced IP Scanner aligns with other external research.

• In 2023, security researchers with Connectwise Cyber Research Unit (CRU) reported several incidents stemming from a malvertising campaign distributing a trojanized version of the Advanced IP Scanner installer (9).
  • Once the malicious version was downloaded it launched PowerShell to download and execute a .NET RAT, dubbed Parcel RAT.
  • The researchers attributed this incident to a threat group they dubbed UNC2465 – reportedly a former DarkSide ransomware affiliate.
• In 2024, Trustwave SpiderLabs security researchers reported a malicious version of the Advanced IP Scanner installer that contained a backdoored DLL module (10).
  • Reportedly, the victim had searched for the Advanced IP Scanner tool and inadvertently downloaded the compromised installer from a typo-squatted domain.
  • The incident led to malicious deployment of Cobalt Strike via the DLL module.

The APG recommends the following actions to help mitigate the deployment and abuse of legitimate tools, such as Advanced IP Scanner, by threat actors.

• Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious actions and malicious abuse of otherwise legitimate tools, such as Advanced IP Scanner.
• Provide end users with a dedicated software center, which allows employees to download approved software from a safe and monitored location. Approved software lists can aid in detecting software, such as Advanced IP Scanner, that is installed from a third-party location and therefore possibly malicious.
• Implement application controls wherever possible and practical. Application controls help prevent both installation and execution of portable versions of unauthorized software, which represent a significant security risk to your organization.
• Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious, and thus requires constant re-identification, authentication, and authorization at each gate rather than assuming that previous validations carry through to the next request.
  • Note: Zero trust embodies aggressive and continuous monitoring and management, which may be difficult to implement and maintain for organizations and departments not fully bought into the cybersecurity program. They may also require additional staffing and end user education to properly maintain. So, despite the inherent logic of a zero trust approach to organizational security, try some of the previous remediation options before attempting to deploy a zero trust solution at less mature organizations.

NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors for malicious activities (12). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager tool, and supports multiple features, including:

• File transfers,
• Remote access to compromised environments,
• Keylogging, and
• The ability to take control of system resources.

The NetSupport RAT was first used for legitimate purposes in DOS environments in 1989, and was first observed deployed by threat actors in 2016 (13).

The NetSupport RAT tool is used by multiple threat groups due to its availability and capabilities; therefore, post incident attribution can be difficult.

The APG has recently summarized observed incidents using NetSupport RAT, likely for attempted persistence post-compromise.

However, due to the popularity of NetSupport RAT among cybercriminals and the Active SOC’s proactive actions on behalf of Blackpoint’s partners preventing full-scale attacks against managed environments, the APG does not have enough data at this time to determine which threat group or strategic patterning.

(We’d rather organizations remain secure before substantial damage occurs, than allow a threat actor to fully deploy their attack chain in an actively managed environment for our own academic curiosity! Honeypot analysis, however, is another story entirely.)

The APG predicts that threat actors will very likely continue to deploy and use NetSupport RAT over the next 12 months.

We base this assessment on (many!) internal Blackpoint observed attacks and external reporting on others’ observed NetSupport RAT use during reported incidents. Some select reports include:

• In November 2023, VMware security researchers reported an increase in NetSupport RAT detections (11).
  • The researchers reported that the majority of the infections observed were targeting the Academics, Government, and Professional & Commercial Services (specifically Business Services) verticals.
  • Researchers observed NetSupport RAT to be downloaded onto a victim’s computer via deceptive websites and fake browser updates; however, specific delivery tactics and techniques varied dependent upon each individual threat group’s attack patterns.
• In May 2024, Connectwise’s monthly threat brief included a list of the top five malware strains observed in April 2024. NetSupport RAT reigned as the top observed deployed malware within their environments. (14)

Connectwise’s report and other recent analysis we didn’t include here further support the APG’s assessment (and our Active SOC team’s lived reality) that threat actors are very likely to continue using widely available tools that have proven successful in other incidents – especially NetSupport RAT.

Blackpoint’s APG recommends the following actions to help mitigate the use of NetSupport RAT for malicious activities.

• Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
• Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as such restrictions impede threat actors’ ability to leverage scripts for malicious actions on compromised user profiles.
• Multifactor authentication (MFA) and VPN use where feasible, to ensure only identified, authenticated, and authorized employees can access sensitive data and resources with an additional level of credential authentication.

1. Dark Vortex’s Website: “Brute Ratel” by Dark Vortex on N/A
2. Trend Micro’s Blog: “Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike” by Ian Kenefick Lucas Silva, and Nicole Hernandez on 2022-10-12
3. SANS’s Blog: “Cracked Brute Ratel C4 framework proliferates across the cybercrminal underground” by Wil Thomas on 2022-10-05
4. Palo Alto’s Blog: “When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors” by Mike Harbison and Peter Renals on 2022-07-05
5. 
   Advanced IP Scanner’s Website: “Advanced IP Scanner” by Famatech Corp. on N/A
6. 
   MITRE’s Repository: “Active Scanning” by MITRE on 2022-03-08
7. 
   MITRE’s Repository: “Network Service Discovery” by MITRE on 2023-08-11
8. Hunt & Hackett’s Blog: “Advanced IP Scanner: the preferred scanner in the A(P)T toolbox” by KRIJN DE MIK on 2021-10-22
9. 
   ConnectWise’s Blog: “Former DarkSide ransomware affiliate distributing trojanized installers via malvertising” by Blake Eakin on 2023-12-13
10. Trustwave’s Blog: “Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor” by Rodel Mendrez on 2024-06-05
11. VMware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20
12. 
    Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Andi Ursry and Ashley Stryker on 2024-06-21
13. SenseOn Tech LTD’s Blog: “Into the Rat’s Nest: A SenseOn Analysis of the NetSupport RAT” by Isabel Carter on 2024-06-06
14. ConnectWise’s Blog: “Monthly Threat Brief: May 2024” by Bryson Medlock on 2024-06-24