BattleRoyal Hackers Employ Multiple Tactics to Deploy DarkGate RAT

December 21, 2023

An unidentified threat group, referred to as 'BattleRoyal', has been conducting various social engineering campaigns this fall, targeting organizations in North America. The objective of these campaigns is to spread the multifaceted DarkGate malware. While researchers at Proofpoint have been tracking the activities of this threat actor, they have not been able to conclusively determine if BattleRoyal is a new entity or if it has any connections to existing threat actors. This ambiguity may be due to the wide array of tactics, techniques, and procedures (TTPs) employed by the group.

BattleRoyal has used mass phishing emails and fake browser updates to deliver DarkGate and, more recently, the NetSupport remote control software. The group has also leveraged traffic distribution systems (TDSs), malicious VBScript, steganography, and a Windows Defender vulnerability. Despite these aggressive tactics, there have been no known successful exploitations to date.

The group's use of fake browser updates was first noticed in mid-October, in an operation dubbed 'RogueRaticate'. In this scenario, BattleRoyal injects requests into domains it covertly controls, using content style sheets (CSS) steganography to hide its malicious code. This code then filters traffic and redirects targeted browser users to the fake update.

However, BattleRoyal seems to prefer traditional email phishing. Between September and November, it carried out at least 20 such campaigns, sending tens of thousands of emails. The links in these emails often use multiple TDSs, a common tool among cybercriminals. Selena Larson, senior threat intelligence analyst at Proofpoint, states, 'Proofpoint regularly sees TDSs used by threat actors in attack chains, specifically cybercrime campaigns.'

The two most frequently used TDSs are 404 TDS, and the legitimate Keitaro TDS, both of which are utilized by BattleRoyal. These TDSs redirect users to a URL file that exploits CVE-2023-36025, a critical bypass vulnerability that affects Microsoft Defender SmartScreen. BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure last month.

DarkGate, the malware at the end of this chain, is a combination loader-cryptominer-remote access Trojan (RAT). Despite its existence for over five years, its recent surge in activity is likely due to the developer renting out the malware to a small number of affiliates, as advertised on cybercriminal hacking forums. Besides BattleRoyal, groups tracked as TA577 and TA571 have also been observed using it.

Recently, BattleRoyal switched from DarkGate to NetSupport in its email campaigns. Larson notes that the reason for this change is unclear, but it could be due to increased attention on DarkGate by threat researchers and the security community, or simply a temporary shift to a different payload.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.