BattleRoyal Hackers Employ Multiple Tactics to Deploy DarkGate RAT
December 21, 2023
An unidentified threat group, referred to as 'BattleRoyal', has been conducting various social engineering campaigns this fall, targeting organizations in North America. The objective of these campaigns is to spread the multifaceted DarkGate malware. While researchers at Proofpoint have been tracking the activities of this threat actor, they have not been able to conclusively determine if BattleRoyal is a new entity or if it has any connections to existing threat actors. This ambiguity may be due to the wide array of tactics, techniques, and procedures (TTPs) employed by the group.
BattleRoyal has used mass phishing emails and fake browser updates to deliver DarkGate and, more recently, the NetSupport remote control software. The group has also leveraged traffic distribution systems (TDSs), malicious VBScript, steganography, and a Windows Defender vulnerability. Despite these aggressive tactics, there have been no known successful exploitations to date.
The group's use of fake browser updates was first noticed in mid-October, in an operation dubbed 'RogueRaticate'. In this scenario, BattleRoyal injects requests into domains it covertly controls, using content style sheets (CSS) steganography to hide its malicious code. This code then filters traffic and redirects targeted browser users to the fake update.
However, BattleRoyal seems to prefer traditional email phishing. Between September and November, it carried out at least 20 such campaigns, sending tens of thousands of emails. The links in these emails often use multiple TDSs, a common tool among cybercriminals. Selena Larson, senior threat intelligence analyst at Proofpoint, states, 'Proofpoint regularly sees TDSs used by threat actors in attack chains, specifically cybercrime campaigns.'
The two most frequently used TDSs are 404 TDS, and the legitimate Keitaro TDS, both of which are utilized by BattleRoyal. These TDSs redirect users to a URL file that exploits CVE-2023-36025, a critical bypass vulnerability that affects Microsoft Defender SmartScreen. BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure last month.
DarkGate, the malware at the end of this chain, is a combination loader-cryptominer-remote access Trojan (RAT). Despite its existence for over five years, its recent surge in activity is likely due to the developer renting out the malware to a small number of affiliates, as advertised on cybercriminal hacking forums. Besides BattleRoyal, groups tracked as TA577 and TA571 have also been observed using it.
Recently, BattleRoyal switched from DarkGate to NetSupport in its email campaigns. Larson notes that the reason for this change is unclear, but it could be due to increased attention on DarkGate by threat researchers and the security community, or simply a temporary shift to a different payload.
Related News
- Public Release of PoC Exploit for Critical Windows Defender Bypass
- Windows Zero-Day CVE-2023-36025 Vulnerability: PoC Exploit Published by Researchers
- Microsoft's November 2023 Patch Tuesday Addresses 58 Flaws Including 5 Zero-Days
Latest News
- Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
- Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents
- UAC-0099 Exploits WinRAR Vulnerability to Launch LONEPAGE Malware Attacks on Ukrainian Firms
- Microsoft Alerts on 'FalseFont' Backdoor Aimed at Defense Sector
- Google Patches 8th Chrome Zero-Day Exploited in 2023
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.