In a sweeping wave of cyber onslaughts this fall, a threat actor, dubbed "BattleRoyal," executed a myriad of sophisticated social engineering campaigns against organizations in the United States and Canada.
The primary objective behind these orchestrated attacks was to infiltrate systems with the elusive and multifaceted DarkGate malware.
Researchers from Proofpoint uncovered a web of diverse tactics and strategies deployed by this elusive entity.
BattleRoyal's Identity Conundrum
With hackers innovating their social engineering techniques to launch malware attacks, the same thing goes with "BattleRoyal" cyber criminals who are using some new methods to infiltrate systems.
The researchers, in a recent blog post, grapple with the challenge of definitively categorizing BattleRoyal as either a completely new threat actor or an entity linked to existing ones.
The complexity arises from the extensive range of tactics, techniques, and procedures (TTPs) employed by BattleRoyal, making it a formidable and elusive adversary in the cybersecurity landscape.
According to DarkReading, BattleRoyal employs an array of techniques to deploy DarkGate, coupled with the recent inclusion of the NetSupport remote control software. The arsenal includes phishing emails on a large scale, fake browser updates, exploitation of traffic distribution systems (TDSs), malicious VBScript, steganography, and exploitation of a Windows Defender vulnerability.
Intriguingly, despite the diversity of these tactics, there is no documented instance of successful exploitations thus far.
Related Article: Lazarus Group Still Exploits Log4Shell: What Are Andariel's Recent Cyberattacks?
Phishing Expeditions and TDS Utilization
BattleRoyal demonstrates a penchant for traditional email phishing, orchestrating over 20 campaigns between September and November. These campaigns, comprising tens of thousands of emails, often commence with seemingly innocuous messages.
The inclusion of multiple traffic distribution systems (TDSs) in the embedded links serves as a common tool for redirecting users to URLs exploiting CVE-2023-36025.
Speaking of the exploit, the attackers leverage CVE-2023-36025, a critical bypass vulnerability with a score of 8.8, to compromise Microsoft Defender SmartScreen.
Irony ensues as SmartScreen, designed to enhance security by preventing users from falling prey to phishing sites, becomes a gateway for BattleRoyal's malicious activities. It is noteworthy that BattleRoyal potentially exploited this vulnerability as a zero-day, preceding its public disclosure.
DarkGate RAT Malware
At the heart of BattleRoyal's intricate web lies DarkGate, a malware-encompassing loader, cryptominer, and remote access Trojan (RAT) capabilities. Although DarkGate has existed for over half a decade, its resurgence in October marked a significant uptick in activity. The surge is attributed to the malware developer leasing it to a select group of affiliates, a practice advertised on cybercriminal hacking forums.
The malware's recent switch to NetSupport prompts speculation about BattleRoyal's motivations and the ever-evolving landscape of cybersecurity threats.
"Proofpoint regularly sees TDSs used by threat actors in attack chains, specifically cybercrime campaigns. Threat actors use them to ensure the computers they want to be compromised are, and anything that doesn't meet their standards such as a bot, possible researcher, etc., will be redirected away from payload delivery. The two most common TDSs these days are the same ones used by BattleRoyal: 404 TDS, and the legitimate Keitaro TDS," Proofpoint's senior threat intelligence analyst Selena Larson said.
RAT malware is everywhere and they come in various forms just like other malicious software.
For instance, a new breed of the threat called "SugarGh0st" RAT was deployed by alleged state-sponsored hackers from China. The campaign was created to attack Uzbekistan and South Korea.
Read Also: Researchers Discover Malicious Chrome Extensions Disguised as Fake VPN
