Security researchers are warning that threat actors are abusing malicious payloads associated with the Brute Ratel C4 adversarial attack simulation tool, a legitimate software, to avoid detection.
Palo Alto Networks' Unit 42 said that in May this year, it uploaded a malware sample to Google's VirusTotal system to see if it could be identified.
All 56 malware engines on Virus Total rated the sample as benign, even though Unit 42 said it contained the Brute Ratel C4 payload.
The tool is less well-known than Cobalt Strike, which is popular among penetration testers, and components of which have also been used for malicious purposes.
That Brute Ratel C4 was undetected by malware scanners is a cause of concern, Unit 42 said: "this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities.
"Its effectiveness at doing so can clearly be witnessed by the aforementioned lack of detection across vendors on VirusTotal," Unit 42 wrote.
Brute Ratel C4 is developed by Indian security researcher Chetan Nayak, formerly of Mandiant and Crowdstrike.
It is a tool for simulating attacks, and can be customised to act as a control centre for penetration testing purposes, when used by Red Teams against defending Blue Teams.
Nayak said he reverse engineered several top-tier EDR and antivirus dynamic link libraries (DLLs) before buildiing the new version of Brute Ratel C4, and said the tool has 480 users across 350 customers.
Brute Ratel C4 costs US$2500 per licence, with renewals charged at US$2250, potentially earning Nayak well over a million dollars a year.
In response to the Unit 42 analysis, Nayak said he has taken action against the licenses used for malicious purposes, and which were sold on the black market.
The use of reverse-engineered EDR and AV DLLs is "of greater concern," Unit 42 said.
"Our analysis highlights the ongoing and relevant debate within the cybersecurity industry surrounding the ethics relating to the development and use of penetration testing tools that can be exploited for offensive purposes," the security researchers added.
Unit 42 believes the malware was packaged in a manner consistent with the APT29 hacking group, said to be part of Russia's Foreign Intelligence Service SVR.
APT29 rose to notoriety after Western governments fingered the group as being behind the large scale SolarWinds supply chain attack which compromised Microsoft resellers and service providers.
Unit 42 is encouraging security vendors to develop detection of Brute Ratel C4, and to be alert from activity stemming from the tool.