BattleRoyal Cluster Signals DarkGate’s Rise


Security researchers have warned about the threat actor DarkGate, which has recently gained notoriety in the field of remote access trojans (RATs) and loaders.

Earlier today, Proofpoint confirmed that it was tracking a separate operator of the DarkGate malware, temporarily named BattleRoyal, noting its use in at least 20 email campaigns from September to November 2023.

These campaigns were characterized by their various delivery methods, including emails, Microsoft Teams, Skype, malvertising, and fake updates.

The BattleRoyal cluster focused on exploiting a specific vulnerability, CVE-2023-36025, that affects Windows SmartScreen, a security feature designed to thwart visits to malicious websites.

Notably, BattleRoyal exploited this vulnerability before it was publicly disclosed by Microsoft. THE operating mode involved the use of various attack tools, such as 404 TDS, Keitaro TDS and URL files, the latter exploiting the Windows vulnerability mentioned above.

Proofpoint identified several campaigns exploiting CVE-2023-36025, but BattleRoyal stood out for its frequency of exploiting this vulnerability. Malware delivery mechanisms included email campaigns and a fake RogueRaticate browser update.

The latter, discovered on October 19, 2023, used an obfuscation technique that concealed DarkGate payloads with the GroupID “ADS5”. The actors injected requests into controlled domains, using .css steganography to hide the malicious code.

Learn more about DarkGate: DarkGate malware campaigns linked to Vietnam-based cybercriminals

In a notable evolution, the BattleRoyal cluster moved from DarkGate to NetSupport, a well-established remote access tool, End of november until the beginning of December. This change could be attributed to a rise in DarkGate’s popularity or a strategic shift. Campaigns have evolved gradually, using two .URL files instead of one.

According to Proofpoint, the BattleRoyal cluster’s use of multiple attack chains highlights a new trend among cybercriminals.

“The actor’s use of compromised emails and websites with fake updates to deliver DarkGate and NetSupport is unique but aligns with the general trend observed by Proofpoint that cybercriminal threat actors adopt new, varied and increasingly creative attack chains (…) to enable the distribution of malware,” read the review.

“Additionally, the use of emails and fake updates shows that the actor is using several types of social engineering techniques to attempt to trick users into installing the final payload.”

Leave a comment