December 21, 2023 at 05:04PM
An unidentified threat actor conducted numerous social engineering campaigns targeting American and Canadian organizations, aiming to infect them with the multifaceted DarkGate malware. Named “BattleRoyal,” the actor utilized a variety of techniques including phishing emails, fake browser updates, and exploit of Windows Defender vulnerability. The actor later switched to using NetSupport remote control software.
Based on the meeting notes, it is evident that an unidentified threat actor known as “BattleRoyal” has been involved in numerous social engineering campaigns aimed at American and Canadian organizations across various industries. The goal of these campaigns has been to infect organizations with the multifaceted DarkGate malware, as well as the more recent NetSupport remote control software.
BattleRoyal has employed a variety of tactics, techniques, and procedures (TTPs), including phishing emails en masse, fake browser updates, and the utilization of traffic distribution systems (TDSs), malicious VBScript, steganography, and even taking advantage of a Windows Defender vulnerability (CVE-2023-36025).
Despite this, Proofpoint researchers have noted that to date, none of BattleRoyal’s tactics have led to any known successful exploitations. It is worth noting that BattleRoyal is also associated with the use of DarkGate in conjunction with other threat groups such as TA577 and TA571.
In a blog post by Proofpoint, it was highlighted that BattleRoyal’s recent switch from DarkGate to NetSupport may be attributed to the increased attention paid to DarkGate by threat researchers and the security community, which can lead to a reduction in its efficacy.
These findings and insights provide a comprehensive understanding of BattleRoyal’s activities and modus operandi, shedding light on its evolving strategies and tactics.