BattleRoyal Cluster Signals DarkGate Surge

Written by

Security researchers have warned against the DarkGate threat actor, who has recently gained notoriety in the realm of remote access Trojans (RATs) and loaders. 

Earlier today, Proofpoint confirmed it has been tracking a distinct operator of the DarkGate malware, temporarily named BattleRoyal, noting its use in at least 20 email campaigns from September to November 2023.

These campaigns were characterized by their diverse delivery methods, including emails, Microsoft Teams, Skype, malvertising and fake updates.

The BattleRoyal cluster demonstrated a significant focus on exploiting a specific vulnerability, CVE-2023-36025, which affects Windows SmartScreen, a security feature designed to thwart visits to malicious websites.

Notably, BattleRoyal exploited this vulnerability before it was publicly disclosed by Microsoft. The modus operandi involved using various attack tools, such as 404 TDS, Keitaro TDS and URL files, with the latter exploiting the Windows vulnerability mentioned above.

Proofpoint identified multiple campaigns exploiting CVE-2023-36025, but BattleRoyal stood out for its frequency in leveraging this vulnerability. The malware delivery mechanisms included email campaigns and a RogueRaticate fake browser update. 

The latter, discovered on October 19 2023, used an obfuscation technique that concealed DarkGate payloads with the “ADS5” GroupID. The actors injected requests to controlled domains, utilizing .css steganography to hide malicious code.

Read more on DarkGate: DarkGate Malware Campaigns Linked to Vietnam-Based Cybercriminals

In a notable evolution, the BattleRoyal cluster transitioned from DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This change could be attributed to a rise in DarkGate’s popularity or a strategic shift. The campaigns exhibited a gradual evolution, employing two .URL files instead of one.

According to Proofpoint, the BattleRoyal cluster’s use of multiple attack chains highlights a new trend among cybercriminals.

“The actor’s use of both email and compromised websites with fake update lures to deliver DarkGate and NetSupport is unique but aligns with the overall trend Proofpoint has observed of cyber criminal threat actors adopting new, varied, and increasingly creative attack chains [...] to enable malware delivery,” reads the advisory.

“Additionally, the use of both email and fake update lures shows the actor using multiple types of social engineering techniques in an attempt to get users to install the final payload.”

What’s hot on Infosecurity Magazine?