Sunday, December 31, 2023

BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates

The "BattleRoyal" cluster, as identified by Proofpoint researchers, is a cyber threat activity involving the use of DarkGate and NetSupport malware. The cluster has been associated with at least 20 email campaigns from September to November 2023, utilizing diverse delivery methods such as emails, Microsoft Teams, Skype, malvertising, and fake updates. The campaigns have demonstrated a transition from DarkGate to NetSupport, indicating a strategic shift or a response to the evolving threat landscape. The actor behind the BattleRoyal cluster has employed multiple attack chains, including the use of both email and compromised websites with fake update lures to deliver the DarkGate malware. This highlights a new trend among cybercriminals, showcasing increasingly creative and varied attack strategies. The campaigns have also been notable for their exploitation of CVE-2023-36025 and the use of a RogueRaticate fake update activity cluster. The threat posed by the BattleRoyal cluster underscores the importance of robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.

IoC

    CVE

CVE-2023-36025

    SHA256

  • 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
  • 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
  • 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
  • e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
  • ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
  • fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4

    IPv4

  • 5.181.159.29
  • 79.110.62.96

    DOMAIN

  • heilee.com
  • kairoscounselingmi.com
  • nathumvida.org
  • searcherbigdealk.com
  • zxcdota2huysasi.com

    URL

  • http://5.181.159.29:80/Downloads/12.url
  • http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
  • http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
  • http://searcherbigdealk.com:2351/msizjbicvmd
  • http://searcherbigdealk.com:2351/zjbicvmd
  • https://heilee.com/qxz3l

REFERENCES

  • https://www.infosecurity-magazine.com/news/battleroyal-cluster-signals/
  • https://cyware.com/news/battleroyal-threat-cluster-spread-darkgate-rat-via-email-and-fake-browser-updates-99a80b43
  • https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
  • https://otx.alienvault.com/pulse/65855c8bd0709c708a894ca2

TAGS

BattleRoyal, DarkGate, Fake Browser Updates

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Fog of Cyber Warfare: Cloud Atlas Spies Attack Russian Companies Under the guise of Supporting NWO Participants

Cloud Atlas is a pro-government advanced persistent threat (APT) group that specializes in cyber espionage and theft of confidential informa...