Between June 19-26, 2024, Blackpoint’s Security Operations Center (SOC) responded to 179 total incidents. These incidents included 18 on-premises MDR incidents, 7 Cloud Response for Google Workspace, and 154 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

Brute Ratel Incident with Healthcare Partner on June 21, 2024

Topline Takeaways

  • Industry target: Healthcare
  • Attacker information:
    • Brute Ratel
    • .js initial file
    • Registry Run Key “funeral”
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Brute Ratel to exploit other Healthcare organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Heuristics-based activity monitoring and remediation
    • Scripting language controls
    • Least-privilege access controls
    • Employee security training

Brute Ratel Incident Timeline for 2024-06-21

  • Blackpoint’s MDR+R technology alerted to Brute Ratel activity on a Healthcare partner’s host.
  • Further investigation by Blackpoint’s Active SOC team found that the activity was tied to the execution of aclui.dll, which was located at “C:\Users\$username\AppData\Roaming\”.
    • The execution of aclui.dll also added a registry run key titled “funeral” to the host.
    • The .dll file was downloaded ono the host via the execution of a “.js” file via wscript.exe.
    • The JavaScript file was downloaded via edge and executed from “C:\Users\$username\Downloads\”.
  • Active SOC analysts isolated the affected host in order to prevent further malicious activity, before reaching out to the Healthcare partner with additional information and remediation steps.

More About Brute Ratel

Click for details

Brute Ratel is a customized command and control center that was created for red team and adversary simulation (1). Brute Ratel has a similar framework to Cobalt Strike, and is often deployed as a second-stage payload for further malicious activity.

While Brute Ratel was originally developed and is intended for legitimate penetration testing activities, Brute Ratel and similar tools are often abused by threat actors due to the ability to blend into normal traffic and the ability to provide persistent remote access.

In fact, Brute Ratel is most known for its use by the Qakbot and Black Basta ransomware operators (2).

APG Threat Analysis of Brute Ratel Abuse for 2024

Click for details

The APG predicts that threat actors will likely continue to deploy and abuse Brute Ratel over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external incident reports that detail the use of Brute Ratel.

Brute Ratel is reportedly specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus capabilities and its effectiveness is likely a leading reason for the attractiveness of the tool for threat groups.

Brute Ratel was also likely advertised on dark web forums and marketplaces as a Cobalt Strike alternative – and consequently rose in popularity – as Cobalt Strike detections by defenders have increased significantly, due to previous threat actor overuse.

 

  • In 2022, a cracked version of the Brute Ratel C4 was observed being advertised on English-speaking and Russian-speaking cybercriminal forums (3).
  •  

  • In 2022, security researchers with Palo Alto reported an incident where an obtained sample contained a malicious payload associated with Brute Ratel C4 (4).
    • The researchers indicated that the sample was packaged in a manner consistent with observed APT29 techniques.
  • In 2022, security researchers with Trend Micro reported a Qakbot malware incident that led to the deployment of the Brute Ratel tool and eventually the Black Basta ransomware (3).
    • Aligned with observed data exfiltration operation in Black Basta reported incidents, Trend Micro’s observed threat actors ran the SharpHound utility via Brute Ratel; SharpHound is the official data collector for the BloodHound utility.

Recommended Brute Ratel Abuse Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of Brute Ratel.

  • Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software suspicious installations or abnormal methods, identifying threat actor behaviors.
  • Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities (and few end users have legitimate operational justifications to have such permissions).
  • Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conduct certain activities.
  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access – including to install malware and tools such as Brute Ratel –  security training can help lower the risk of end users accidentally downloading malicious software… or even legitimate tools for malicious actions.

Return to Top

Advanced IP Scanner Incident with Technology Partner on June 22, 2024

Topline Takeaways

  • Industry target: Technology
  • Attacker information:
    • Advanced IP Scanner
    • FortiClient.exe
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use Advanced IP Scanner to exploit other Technology organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Improve endpoint, asset, and overall environment visibility
    • Dedicated software center
    • Application allowlisting and blocklisting
    • Zero trust network architecture

Advanced IP Scanner Incident Timeline for 2024-06-22

  • Blackpoint’s MDR+R technology alerted to a flagged file “advanced_ip_scanner.exe” on a Industrials partner’s host.
  • During the Active SOC team’s initial investigation:
    • The user account was observed actively:
      • Scanning the IP range 172.21.9.0/24
      • Pinging the IPs 172.21.1.25 and 172.21.1.26
    • Following the pinging activity, the user account was observed using FortiClient.exe to spawn a command prompt to execute “/d /s /c “uname -v”.
      • The command displays the output of the kernel version information of the operating system.
  • Active SOC analysts isolated the user account and host to prevent additional malicious activity, before reaching out to the Industrials partner with more information and remediation advice.

More About Advanced IP Scanner

Click for details

Advanced IP Scanner is a free network scanner used by system administrators and threat actors alike to analyze local area networks (LANs) and provides the following functionality (5):

  • Shows all network devices,
  • Gives access to shared folders,
  • Provides remote control of computers, and
  • Can remotely switch off computers.

Between Advanced IP Scanner’s ability to execute as an installer, its portable version, and its extensive capabilities, the tool has been adopted by both cybercriminal operations and APT groups,(8).

Specifically, threat actors abuse Advanced IP Scanner’s active scanning feature set during the reconnaissance attack phase prior to infiltration (6), and its network service scanning during their discovery phase after their initial compromise of a victim environment (7).

APG Threat Analysis of Advanced IP Scanner Abuse for 2024

Click for details

The APG predicts that threat actors will likely continue to deploy and abuse Advanced IP Scanner over the next 12 months.

This assessment is based on internal Blackpoint observed attacks and external reporting related to the use of Advanced IP Scanner tool during reported cyberattacks.

Blackpoint’s APG has tracked at least 13 ransomware operations that have abused the Advanced IP Scanner tool for various activities during reported cyberattacks, including:

  • Akira
  • INC Ransom
  • Phobos
  • Makop
  • Trigona

The APG’s observations and tracking of threat actor use of Advanced IP Scanner aligns with other external research.

  • In 2023, security researchers with Connectwise Cyber Research Unit (CRU) reported several incidents stemming from a malvertising campaign distributing a trojanized version of the Advanced IP Scanner installer (9).
    • Once the malicious version was downloaded it launched PowerShell to download and execute a .NET RAT, dubbed Parcel RAT.
    • The researchers attributed this incident to a threat group they dubbed UNC2465 – reportedly a former DarkSide ransomware affiliate.
  • In 2024, Trustwave SpiderLabs security researchers reported a malicious version of the Advanced IP Scanner installer that contained a backdoored DLL module (10).
    • Reportedly, the victim had searched for the Advanced IP Scanner tool and inadvertently downloaded the compromised installer from a typo-squatted domain.
    • The incident led to malicious deployment of Cobalt Strike via the DLL module.

Recommended Advanced IP Scanner Mitigations and Remediations

Click for details

The APG recommends the following actions to help mitigate the deployment and abuse of legitimate tools, such as Advanced IP Scanner, by threat actors.

  • Improve security visibility of networks, endpoints, and other managed assets to aid in detecting and alerting to suspicious actions and malicious abuse of otherwise legitimate tools, such as Advanced IP Scanner.
  • Provide end users with a dedicated software center, which allows employees to download approved software from a safe and monitored location. Approved software lists can aid in detecting software, such as Advanced IP Scanner, that is installed from a third-party location and therefore possibly malicious.
  • Implement application controls wherever possible and practical. Application controls help prevent both installation and execution of portable versions of unauthorized software, which represent a significant security risk to your organization.
  • Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious, and thus requires constant re-identification, authentication, and authorization at each gate rather than assuming that previous validations carry through to the next request.
    • Note: Zero trust embodies aggressive and continuous monitoring and management, which may be difficult to implement and maintain for organizations and departments not fully bought into the cybersecurity program. They may also require additional staffing and end user education to properly maintain. So, despite the inherent logic of a zero trust approach to organizational security, try some of the previous remediation options before attempting to deploy a zero trust solution at less mature organizations.

Return to Top

Multiple NetSupport RAT Incidents with Real Estate, Industrials, and Institutions & Organizations Partners on June 24 and 26, 2024

Topline Takeaways

  • Industry target:
    • Real Estate
    • Institutions & Organizations
    • Attacker information:
      • NetSupport RAT
      • wscript.exe
      • client32.exe
      • Registry Run Key “LXFA”
    • Antivirus (AV) and / or EDR present in environment? Yes
    • Threat assessment for partners:
      • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use NetSupport RAT to exploit other Institutions & Organizations and Real Estate organizations over the next 12 months.
    • Recommended remediations and mitigations:
      • Employee security training
      • Heuristics-based activity monitoring and remediation
      • Scripting language controls
      • Multifactor authentication (MFA)

Multiple NetSupport RAT Incidents on 2024-06-24 and 2024-06-26

  • Blackpoint’s MDR+R technology alerted to a suspicious PowerShell download on a Real Estate partner’s host.
  • The Active SOC team’s initial investigation identified that the PowerShell activity detected was tied to the NetSupport Remote Access Trojan (RAT).
    • The PowerShell command was spawned after a downloaded and executed .js file via wscript.exe.
    • The file was a fake update file, which deployed the NetSupport RAT when downloaded.
    • The execution of the JavaScript file also added a Registry Run Key titled “LXFA”, which would execute client32.exe (NetSupport RAT) on system startup.
  • Blackpoint’s Active SOC team then isolated the affected host to prevent additional malicious activity, and contacted the Real Estate partner with more information and remediation advice.

Due to the increase in observed NetSupport RAT detections over the past few weeks, Blackpoint’s Active SOC team has been conducting threat hunting activities for NetSupport RAT within managed partner environments.

  • On the same day as the alerted NetSupport RAT deployment on the Real Estate partner’s host, the Active SOC team proactively investigated an Industrials partner’s device flagged during the threat hunting investigation.
    • Active SOC analysts identified a suspicious scheduled task that ran a binary out of a suspicious file path.
    • Multiple vendors and the broader security community flagged the binary as the NetSupport RAT (11.
    • Blackpoint’s Active SOC disabled the scheduled task and isolated the device out of an abundance of caution, before reaching out to the Industrials partner with incident details and additional remediation advice.
  • Two days later, the threat hunting operations proactively inspected a flagged Institutions & Organizations partner’s device.
    • Active SOC analysts identified a running process “client32.exe”, which aligns with NetSupport RAT observed activity.
    • The identified file’s hash was unknown and / or previously unidentified by other vendors and the broader security community when searched via OSINT techniques.
    • The identified file was located in :\Program Files (x86)\SoftLINK Class Control. SoftLink Class Control software is utilized for monitoring workstations during proctoring.
    • The Active SOC analysts reached out to the partner and isolated the device out of an abundance of caution.

More About NetSupport RAT

Click for details

NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors for malicious activities (12). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager tool, and supports multiple features, including:

  • File transfers,
  • Remote access to compromised environments,
  • Keylogging, and
  • The ability to take control of system resources.

The NetSupport RAT was first used for legitimate purposes in DOS environments in 1989, and was first observed deployed by threat actors in 2016 (13).

The NetSupport RAT tool is used by multiple threat groups due to its availability and capabilities; therefore, post incident attribution can be difficult.

The APG has recently summarized observed incidents using NetSupport RAT, likely for attempted persistence post-compromise.

However, due to the popularity of NetSupport RAT among cybercriminals and the Active SOC’s proactive actions on behalf of Blackpoint’s partners preventing full-scale attacks against managed environments, the APG does not have enough data at this time to determine which threat group or strategic patterning.

(We’d rather organizations remain secure before substantial damage occurs, than allow a threat actor to fully deploy their attack chain in an actively managed environment for our own academic curiosity! Honeypot analysis, however, is another story entirely.)

APG Threat Analysis of NetSupport RAT for 2024

Click for details

The APG predicts that threat actors will very likely continue to deploy and use NetSupport RAT over the next 12 months.

We base this assessment on (many!) internal Blackpoint observed attacks and external reporting on others’ observed NetSupport RAT use during reported incidents. Some select reports include:

  • In November 2023, VMware security researchers reported an increase in NetSupport RAT detections (11).
    • The researchers reported that the majority of the infections observed were targeting the Academics, Government, and Professional & Commercial Services (specifically Business Services) verticals.
    • Researchers observed NetSupport RAT to be downloaded onto a victim’s computer via deceptive websites and fake browser updates; however, specific delivery tactics and techniques varied dependent upon each individual threat group’s attack patterns.
  • In May 2024, Connectwise’s monthly threat brief included a list of the top five malware strains observed in April 2024. NetSupport RAT reigned as the top observed deployed malware within their environments. (14)

Connectwise’s report and other recent analysis we didn’t include here further support the APG’s assessment (and our Active SOC team’s lived reality) that threat actors are very likely to continue using widely available tools that have proven successful in other incidents – especially NetSupport RAT.

Recommended NetSupport RAT Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the use of NetSupport RAT for malicious activities.

  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
  • Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior.
  • Minimize the use of – or implement strict controls on – the use of scripting languages, as such restrictions impede threat actors’ ability to leverage scripts for malicious actions on compromised user profiles.
  • Multifactor authentication (MFA) and VPN use where feasible, to ensure only identified, authenticated, and authorized employees can access sensitive data and resources with an additional level of credential authentication.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full reference list
  1. Dark Vortex’s Website: “Brute Ratel” by Dark Vortex on N/A
  2. Trend Micro’s Blog: “Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike” by Ian Kenefick Lucas Silva, and Nicole Hernandez on 2022-10-12
  3. SANS’s Blog: “Cracked Brute Ratel C4 framework proliferates across the cybercrminal underground” by Wil Thomas on 2022-10-05
  4. Palo Alto’s Blog: “When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors” by Mike Harbison and Peter Renals on 2022-07-05

  5. Advanced IP Scanner’s Website: “Advanced IP Scanner” by Famatech Corp. on N/A

  6. MITRE’s Repository: “Active Scanning” by MITRE on 2022-03-08

  7. MITRE’s Repository: “Network Service Discovery” by MITRE on 2023-08-11
  8. Hunt & Hackett’s Blog: “Advanced IP Scanner: the preferred scanner in the A(P)T toolbox” by KRIJN DE MIK on 2021-10-22

  9. ConnectWise’s Blog: “Former DarkSide ransomware affiliate distributing trojanized installers via malvertising” by Blake Eakin on 2023-12-13
  10. Trustwave’s Blog: “Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor” by Rodel Mendrez on 2024-06-05
  11. VMware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20

  12. Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Andi Ursry and Ashley Stryker on 2024-06-21
  13. SenseOn Tech LTD’s Blog: “Into the Rat’s Nest: A SenseOn Analysis of the NetSupport RAT” by Isabel Carter on 2024-06-06
  14. ConnectWise’s Blog: “Monthly Threat Brief: May 2024” by Bryson Medlock on 2024-06-24