Skip to content

BattleRoyal cluster spreads DarkGate through varied channels

  • by
  • 3 min read

A cluster of malicious activity, tentatively named BattleRoyal, is distributing DarkGate remote access trojan (RAT) and loader across the United States and Canada.

Cybersecurity researchers from Proofpoint have been tracking this cluster but cannot identify the threat actor behind it, thus the name BattleRoyal. Researchers found that between September and November 2023, at least 20 email campaigns employing DarkGate were identified, each tagged with distinct GroupIDs such as ‘PLEX’, ‘ADS5’, ‘user_871236672’, and ‘usr_871663321.’

Source: Proofpoint

The campaigns targeted tens of thousands of emails across various industries in the United States and Canada, using diverse methods, including email, Microsoft Teams, Skype, malvertising, and fake updates.

Proofpoint researchers found a particularly interesting facet of the BattleRoyal cluster, the exploitation of the vulnerability, CVE-2023-36025, in Windows SmartScreen. This security feature, designed to thwart users from accessing malicious websites, could be bypassed by users clicking on a specially crafted .URL file or hyperlink, leading to a potential compromise.

Malicious URL used in October 2 campaign. | Source: Proofpoint

One noteworthy campaign exemplifying BattleRoyoal’s sophistication involved using multiple Traffic Delivery Systems (TDS) on October 2, 2023. The attack chain included 404 TDS, Keitaro TDS, and .URL files exploitation CVE-2023-36025, culminating in the execution of the DarkGate malware.

Another significant discovery was the RougeRaticate fake browser update campaign identified on October 19. This campaign cleverly employed .css stenography to conceal malicious code within the update requests. users who clicked the deceptive update button unknowingly downloaded a .URL file, triggering the DarkGate payload.

A replica of a fake Chrome update page. | Source: Proofpoint

The BattleRoyal cluster exhibited adaptability from late November to early December, substituting DarkGate with NetSupport in observed campaigns. This shift may be attributed to a surge in DarkGate’s popularity, prompting threat researchers to analyse the malware more deeply.

This campaign showcases a unique blend of attack vectors, leveraging email and compromised websites with fake update lures to deliver DarkGate and NetSupport. “Proofpoint has observed cybercriminal threat actors adopting new, varied, and increasingly creative attack chains – including various TDS tools – to enable malware delivery,” said the researchers.

In the News: NordVPN enters cyber insurance market with integrated benefits

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>