This fall, an unidentified threat actor executed dozens of varied social engineering campaigns against American and Canadian organizations across a variety of industries, with the goal of infecting them with the multifaceted DarkGate malware.
Perhaps part of the trouble has to do with its sheer variety of tactics, techniques, and procedures it uses.
To deliver DarkGate, and more recently the NetSupport remote control software, BattleRoyal uses phishing emails en masse, as well as fake browser updates, taking advantage of traffic distribution systems, malicious VBScript, steganography, and a Windows Defender vulnerability along the way.
To date none of these tactics have led to any known successful exploitations.
BattleRoyal's TTPs Sometimes, BattleRoyal does its social engineering via fake browser updates.
In these cases, the attacker injects requests into domains it secretly controls, using content style sheets steganography to conceal its malicious code.
The code filters traffic and then redirects targeted browser users to the fake update.
BattleRoyal is most fond of traditional email phishing.
Between September and November, it was responsible for at least 20 such campaigns representing tens of thousands of emails in all.
They typically begin with a rather garden-variety message.
The links contained in the body might make use of multiple TDSs - a common tool for today's cybercriminals.
BattleRoyal appears to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure last month.
DarkGate Gets Too Hot When double clicked, the malicious URL files bypass Windows defenses and download malicious VBScript that executes a series of shell commands.
It's at the end of this chain where DarkGate lies.
DarkGate is a combination loader-cryptominer-remote access Trojan.
About a month ago, BattleRoyal's email campaigns swapped out DarkGate for NetSupport, a legitimate remote access tool that's made the cybercriminal rounds for some years now.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 21 Dec 2023 22:00:30 +0000