We are about to witness a significant increase in the deployment of DarkGate and NetSupport, security experts warn.
Proofpoint researchers claim to have spotted a brand new threat actor called “BattleRoyal”. This threat actor set up at least 20 email campaigns to distribute the DarkGate malware during September and November of this year.
In late November and early December, the group switched from DarkGate to NetSupport, a legitimate remote access tool often abused by hackers to establish persistence on targeted endpoints. In addition to emails, the group also used a series of compromised websites and fake updates to trick people into downloading the malware.
Exploitation of a SmartScreen error
The reasons for the switch remain a mystery, with researchers suggesting it may be due to DarkGate attracting too much attention.
Regardless, the group exploited a vulnerability tracked as CVE-2023-36025 to deliver the malware. Other groups also exploited this flaw, but the BattleRoyal cluster “exploited this vulnerability more than any other actor observed in the Proofpoint threat data.” BattleRoyal was already abusing it before it was published by Microsoft, the company said.
The flaw was found in Windows SmartScreen, a security feature designed to prevent people from visiting dangerous websites. Proofpoint explained that the attackers were able to bypass the SmartScreen defenses by making the victim click on a specially crafted URL, which the vulnerability enabled.
As explained by Malpedia, DarkGate is a commodity loader that was first documented in 2018. It comes with numerous features, including the ability to download and execute files to memory, a Hidden Virtual Network Computing (HVNC) module, the ability to log keystrokes, steal sensitive data, information and escalate privileges. DarkGate exploits legitimate AutoIt files and typically runs multiple AutoIt scripts.
Since May 2023, new versions of DarkGate have been advertised on a Russian-language eCrime forum, the report concludes.