Backdoor:Win64/BruteRatel!rfn

Backdoor:Win64/BruteRatel!rfn compromise begins with a spear-phishing email containing a compressed archive. This archive holds a malicious LNK file disguised with a familiar document or application icon. When a user executes this LNK file, it launches cmd.exe which, in turn, runs a legitimate-looking process such as OneDriveUpdater.exe from the same folder. The attack exploits the Windows library-loading order. BruteRatel  places a malicious dynamic-link library (DLL), often named version.dll or vresion.dll in the same directory as the legitimate binary. When the device runs OneDriveUpdater.exe, it loads the malicious DLL first instead of the authentic system library.  

This technique, known as DLL side-loading, allows the malicious code to run within the context of a trusted process. Once loaded, the malicious DLL uses a multi-stage process to deploy the final payload. It employs memory allocation and writes functions to unpack the main BruteRatel payload into memory, a method known as reflective DLL loading. This technique avoids writing the malicious file to disk, helping it evade detection. The payload itself is obfuscated with multiple layers of encoding and streaming encryption. Once decrypted, it contains a configuration block that defines its Command and Control (C2) communication settings, including the protocol, server addresses, client identifiers, and other operational parameters. 

Communication with the C2 server occurs over HTTPS, with traffic structured as legitimate-looking JSON or XML data to blend in with normal web traffic. Historical C2 infrastructure has included IP addresses such as 174[.]129.157[.]251 and 159[.]65.186[.]50 on port 443, and domains that mimic legitimate services like symantecuptimehost.com on port 8080. BruteRatel further evades analysis by using a custom communication protocol that generates cryptographic keys from the end bytes of disassembled code sections. 

Later variants (2024-2025) have incorporated additional evasion measures, such as using sophisticated packers and crypters, deploying memory-only implants, and utilizing API hashing to dynamically resolve system calls without revealing the imported functions. Throughout its operation, the malware is memory-resident and typically does not create registry entries or files for persistence, relying on its initial access mechanisms for re-infection and maintaining a volatile footprint to lessen forensic evidence.