BattleRoyal Cluster: A DarkGate Contender Rises with Devious Tricks and Evolving Tactics

BattleRoyal cluster
Fake browser update request screenshot.

In the ever-evolving landscape of cyber threats, a new and menacing player emerged throughout the summer and fall of 2023, aiming to take the top spot in the realm of Remote Access Trojans (RATs) and loaders. DarkGate, as it came to be known, quickly garnered attention as it was spotted in the hands of multiple cybercriminal actors, utilizing a wide range of distribution methods.

DarkGate’s arrival was marked by its versatility in spreading across the digital realm. Cybercriminals leveraged various channels, including email, Microsoft Teams, Skype, malvertising, and deceptive fake updates, to propagate this formidable malware. As this dark force continued to gather strength, security researchers at Proofpoint embarked on a mission to understand its origin and motives.

One particularly interesting revelation in the DarkGate saga was the emergence of an operator, temporarily dubbed “BattleRoyal,” who orchestrated a series of malicious campaigns between September and November 2023. These campaigns bore unique GroupIDs, such as “PLEX,” “ADS5,” “user_871236672,” and “usr_871663321.” These GroupIDs are essentially configuration settings that play a pivotal role in customizing the malware’s behavior.

The BattleRoyal campaigns stood out for several reasons:

1. Delivery Methods: DarkGate was delivered via email and cleverly disguised as RogueRaticate fake browser updates.

2. Volumes and Geography: Tens of thousands of emails targeted a wide array of industries, primarily in the USA and Canada.

3. Attack Chain: DarkGate campaigns were equipped with a potent arsenal of tools, including 404 TDS, Keitaro TDS, and .URL files that exploited CVE-2023-36025.

On October 2, 2023, Proofpoint’s vigilant researchers identified one of the initial campaigns within the BattleRoyal cluster. It was noteworthy for the use of multiple traffic delivery systems, specifically 404 TDS and Keitaro TDS. Moreover, .URL files were consistently present in each campaign, exploiting the Windows SmartScreen vulnerability, CVE-2023-36025.

The emails in these campaigns followed a devious attack chain:

1. 404 TDS URLs redirected users to Keitaro TDS.
2. Keitaro TDS served an internet shortcut (.URL) file.
3. The .URL file, when double-clicked, downloaded a zipped VBS script.
4. The VBS script, in turn, executed a series of shell commands.
5. These shell commands created a directory, copied essential files, and ran an embedded DarkGate instance.

Notably, the BattleRoyal cluster exploited CVE-2023-36025 even before Microsoft published details about it. This vulnerability allowed threat actors to bypass SmartScreen defenses when users clicked on specially crafted .URL files, leading to the installation of malicious payloads.

On October 19, 2023, an external researcher unveiled the RogueRaticate fake update activity cluster, which employed an obfuscation technique first identified in 2020. This campaign targeted web users with fake browser update requests, dropping a DarkGate payload with the “ADS5” GroupID. The threat actors used .css steganography to conceal malicious code, redirecting users to fake browser updates upon interaction. This initiated a sequence reminiscent of the email campaign, further delivering DarkGate into unsuspecting hands.

As the calendar advanced into late November and early December, Proofpoint analysts observed a significant shift in the BattleRoyal cluster’s strategy. DarkGate was replaced with NetSupport, a legitimate remote access tool, in observed campaigns. This transition raised questions regarding the reasons behind the payload switch.

NetSupport, a more established tool among cybercriminals, has been part of the threat landscape for the past four years. In contrast, DarkGate’s usage had been relatively rare before the summer of 2023. The shift to NetSupport could be attributed to DarkGate’s growing popularity, attracting the attention of threat researchers and the security community. Such scrutiny could diminish its efficacy, leading cybercriminals to explore alternative payloads. Additionally, another notable change in this campaign was the use of two .URL files instead of one, indicating a gradual evolution in the cluster’s tactics.

The BattleRoyal cluster is notable for its diverse attack chains designed to deliver malware efficiently. DarkGate serves as the gateway for information theft and the downloading of additional malicious payloads, while NetSupport provides threat actors with control over infected hosts, enabling lateral movement within compromised environments. What sets BattleRoyal apart is its use of both email and compromised websites, employing fake update lures to distribute DarkGate and NetSupport.