The "BattleRoyal" cluster, as identified by Proofpoint researchers, is a cyber threat activity involving the use of DarkGate and NetSupport malware. The cluster has been associated with at least 20 email campaigns from September to November 2023, utilizing diverse delivery methods such as emails, Microsoft Teams, Skype, malvertising, and fake updates. The campaigns have demonstrated a transition from DarkGate to NetSupport, indicating a strategic shift or a response to the evolving threat landscape. The actor behind the BattleRoyal cluster has employed multiple attack chains, including the use of both email and compromised websites with fake update lures to deliver the DarkGate malware. This highlights a new trend among cybercriminals, showcasing increasingly creative and varied attack strategies. The campaigns have also been notable for their exploitation of CVE-2023-36025 and the use of a RogueRaticate fake update activity cluster. The threat posed by the BattleRoyal cluster underscores the importance of robust cybersecurity measures to mitigate the risk of malware delivery and social engineering attacks.
IoC
CVE
CVE-2023-36025
SHA256
- 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084
- 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f
- 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77
- e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243
- ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f
- fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4
IPv4
- 5.181.159.29
- 79.110.62.96
DOMAIN
- heilee.com
- kairoscounselingmi.com
- nathumvida.org
- searcherbigdealk.com
- zxcdota2huysasi.com
URL
- http://5.181.159.29:80/Downloads/12.url
- http://5.181.159.29:80/Downloads/evervendor.zip/evervendor.exe
- http://79.110.62.96:80/Downloads/bye.zip/bye.vbs
- http://searcherbigdealk.com:2351/msizjbicvmd
- http://searcherbigdealk.com:2351/zjbicvmd
- https://heilee.com/qxz3l
REFERENCES
- https://www.infosecurity-magazine.com/news/battleroyal-cluster-signals/
- https://cyware.com/news/battleroyal-threat-cluster-spread-darkgate-rat-via-email-and-fake-browser-updates-99a80b43
- https://www.proofpoint.com/us/blog/threat-insight/battleroyal-darkgate-cluster-spreads-email-and-fake-browser-updates
- https://otx.alienvault.com/pulse/65855c8bd0709c708a894ca2
TAGS
BattleRoyal, DarkGate, Fake Browser Updates
No comments:
Post a Comment