Security researchers have warned against the DarkGate threat actor, who has recently gained notoriety in the realm of remote access Trojans and loaders.
Earlier today, Proofpoint confirmed it has been tracking a distinct operator of the DarkGate malware, temporarily named BattleRoyal, noting its use in at least 20 email campaigns from September to November 2023.
These campaigns were characterized by their diverse delivery methods, including emails, Microsoft Teams, Skype, malvertising and fake updates.
The BattleRoyal cluster demonstrated a significant focus on exploiting a specific vulnerability, CVE-2023-36025, which affects Windows SmartScreen, a security feature designed to thwart visits to malicious websites.
Notably, BattleRoyal exploited this vulnerability before it was publicly disclosed by Microsoft.
The modus operandi involved using various attack tools, such as 404 TDS, Keitaro TDS and URL files, with the latter exploiting the Windows vulnerability mentioned above.
Proofpoint identified multiple campaigns exploiting CVE-2023-36025, but BattleRoyal stood out for its frequency in leveraging this vulnerability.
The malware delivery mechanisms included email campaigns and a RogueRaticate fake browser update.
In a notable evolution, the BattleRoyal cluster transitioned from DarkGate to NetSupport, a well-established remote access tool, in late November to early December.
This change could be attributed to a rise in DarkGate's popularity or a strategic shift.
The campaigns exhibited a gradual evolution, employing two.
According to Proofpoint, the BattleRoyal cluster's use of multiple attack chains highlights a new trend among cybercriminals.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 21 Dec 2023 16:30:23 +0000