'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick

The shadowy threat actor uses some nifty tricks to drop popular malware with targets that meet its specifications.

3 Min Read
Source: Karel Tupy via Alamy Stock Photo

This fall, an unidentified threat actor executed dozens of varied social engineering campaigns against American and Canadian organizations across a variety of industries, with the goal of infecting them with the multifaceted DarkGate malware.

In a blog post this week, researchers from Proofpoint were unable to definitively say whether the perpetrator it's calling "BattleRoyal" is a totally new actor or related to any existing one. Perhaps part of the trouble has to do with its sheer variety of tactics, techniques, and procedures (TTPs) it uses.

To deliver DarkGate, and more recently the NetSupport remote control software, BattleRoyal uses phishing emails en masse, as well as fake browser updates, taking advantage of traffic distribution systems (TDSs), malicious VBScript, steganography, and a Windows Defender vulnerability along the way. To date, though, none of these tactics have led to any known successful exploitations.

BattleRoyal's TTPs

Sometimes, BattleRoyal does its social engineering via fake browser updates. Researchers first observed this activity, tracked as "RogueRaticate," in mid-October. In these cases, the attacker injects requests into domains it secretly controls, using content style sheets (CSS) steganography to conceal its malicious code. The code filters traffic and then redirects targeted browser users to the fake update.

However, BattleRoyal is most fond of traditional email phishing. Between September and November, it was responsible for at least 20 such campaigns representing tens of thousands of emails in all.

They typically begin with a rather garden-variety message.

Example of an email used in BattleRoyal technique

The links contained in the body might make use of multiple TDSs — a common tool for today's cybercriminals.

"Proofpoint regularly sees TDSs used by threat actors in attack chains, specifically cybercrime campaigns," says Selena Larson, senior threat intelligence analyst at Proofpoint. "Threat actors use them to ensure the computers they want to be compromised are, and anything that doesn’t meet their standards such as a bot, possible researcher, etc., will be redirected away from payload delivery." The two most common TDSs these days, she adds, are the same ones used by BattleRoyal: 404 TDS, and the legitimate Keitaro TDS.

The TDSs redirect users to a URL file that takes advantage of CVE-2023-36025, an 8.8 critical bypass vulnerability that undermines Microsoft Defender SmartScreen; ironically, SmartScreen is a security feature of Windows designed to prevent users from ending up on phishing sites.

BattleRoyal appears to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure last month (and subsequent public exploit).

DarkGate Gets Too Hot

When double clicked, the malicious URL files bypass Windows defenses and download malicious VBScript that executes a series of shell commands. And it's at the end of this chain where DarkGate lies.

DarkGate is a combination loader-cryptominer-remote access Trojan (RAT). Although it's been around for over half a decade, Larson explains, "it recently emerged around October as one of the most frequently observed malware payloads by a small set of threat actors. The recent spike in activity is likely due to the developer renting out the malware to a small number of affiliates, which they advertised on cybercriminal hacking forums." Besides BattleRoyal, Proofpoint has observed groups it tracks as TA577 and TA571 using it, as well.

About a month ago, BattleRoyal's email campaigns swapped out DarkGate for NetSupport, a legitimate remote access tool that's made the cybercriminal rounds for some years now.

"It remains to be seen if the reason for the payload switch is due to the spike in DarkGate’s popularity and the subsequent attention paid to the malware by threat researchers and the security community (which can lead to reduction of efficacy)," Larson says, "or simply a temporary change to a different payload."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights