Battleroyal

Threat Actor updated 23 days ago (2024-11-29T13:39:25.716Z)
Download STIX
Preview STIX
BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen vulnerability (CVE-2023-36025). The group exploited this vulnerability before its public disclosure by Microsoft, indicating their advanced capabilities. BattleRoyal's operations saw a surge around October, with the group emerging as one of the most frequently observed malware payloads by a small set of threat actors. In a significant evolution, BattleRoyal transitioned from using DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This shift raises questions about the group's motivations and highlights the dynamic nature of cyber threats. Although NetSupport has been around for over half a decade, it recently became a popular choice among cybercriminals, including groups tracked as TA577 and TA571, due to its developer renting out the software on hacking forums. Despite these changes, BattleRoyal has shown no signs of slowing down as the year-end approaches. About a month ago, the group's email campaigns swapped out DarkGate for NetSupport, demonstrating an ongoing commitment to evolving their methods. In addition, BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure and subsequent public exploit. The two most common TDSs used by BattleRoyal are 404 TDS and the legitimate Keitaro TDS, tools that enable them to ensure their targeted computers are compromised while redirecting non-targets away from payload delivery.
Description last updated: 2024-05-04T20:13:09.797Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Vulnerability
Windows
Exploit
Proofpoint
Malware
Bot
Payload
Zero Day
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Darkgate Malware is associated with Battleroyal. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicioUnspecified
4
The Netsupport Malware is associated with Battleroyal. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate systemUnspecified
3
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The TA577 Threat Actor is associated with Battleroyal. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicallUnspecified
2
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The CVE-2023-36025 Vulnerability is associated with Battleroyal. CVE-2023-36025 is a significant vulnerability identified in the Windows SmartScreen security feature. It was one of three zero-day vulnerabilities discovered, with the others being CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library, and CVE-2023-36036, another priviUnspecified
3
Source Document References
Information about the Battleroyal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more