Battleroyal

Threat Actor updated 7 months ago (2024-05-04T20:19:46.049Z)

Download STIX

Preview STIX

BattleRoyal, a threat actor group, has been observed using a variety of attack channels to deliver the DarkGate remote access trojan (RAT). These include phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and notably, a Windows SmartScreen vulnerability (CVE-2023-36025). The group exploited this vulnerability before its public disclosure by Microsoft, indicating their advanced capabilities. BattleRoyal's operations saw a surge around October, with the group emerging as one of the most frequently observed malware payloads by a small set of threat actors. In a significant evolution, BattleRoyal transitioned from using DarkGate to NetSupport, a well-established remote access tool, in late November to early December. This shift raises questions about the group's motivations and highlights the dynamic nature of cyber threats. Although NetSupport has been around for over half a decade, it recently became a popular choice among cybercriminals, including groups tracked as TA577 and TA571, due to its developer renting out the software on hacking forums. Despite these changes, BattleRoyal has shown no signs of slowing down as the year-end approaches. About a month ago, the group's email campaigns swapped out DarkGate for NetSupport, demonstrating an ongoing commitment to evolving their methods. In addition, BattleRoyal seems to have been exploiting CVE-2023-36025 as a zero-day, prior to its disclosure and subsequent public exploit. The two most common TDSs used by BattleRoyal are 404 TDS and the legitimate Keitaro TDS, tools that enable them to ensure their targeted computers are compromised while redirecting non-targets away from payload delivery.

Description last updated: 2024-05-04T20:13:09.797Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Vulnerability

Windows

Exploit

Proofpoint

Malware

Bot

Payload

Zero Day

Phishing

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Darkgate Malware is associated with Battleroyal. DarkGate is a multifunctional malware that poses significant threats to computer systems and networks. It has been associated with various malicious activities such as information theft, credential stealing, cryptocurrency theft, and ransomware delivery. DarkGate infiltrates systems through suspicio	Unspecified	4
The Netsupport Malware is associated with Battleroyal. NetSupport is a legitimate remote access software that has been repurposed as malware by various cybercriminal groups. It has been observed in several high-profile cyber-attacks, including the Royal ransomware attack and operations conducted by former ITG23 members. The malware can infiltrate system	Unspecified	3

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The TA577 Threat Actor is associated with Battleroyal. TA577 is a threat actor, or malicious entity, known for its extensive use of QBot, a banking Trojan. In November 2023, Proofpoint's Threat Research Team identified TA577 as an initial access broker that began using Latrodectus, a new malware, in three separate intrusion campaigns. The group typicall	Unspecified	2

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2023-36025 Vulnerability is associated with Battleroyal. CVE-2023-36025 is a significant vulnerability identified in the Windows SmartScreen security feature. It was one of three zero-day vulnerabilities discovered, with the others being CVE-2023-36033, a privilege escalation vulnerability in the Windows DWM Core Library, and CVE-2023-36036, another privi	Unspecified	3

Source Document References

Information about the Battleroyal Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	10 months ago	Phemedrone Stealer Targets Windows Defender Flaw Despite Patch
CERT-EU	a year ago	Cyber Security Week In Review: December 22, 2023
CERT-EU	a year ago	BattleRoyal Cybercrime Group Spreads DarkGate Malware \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	a year ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
DARKReading	a year ago	'BattleRoyal' Hackers Deliver DarkGate RAT Using Every Trick
InfoSecurity-magazine	a year ago	BattleRoyal Cluster Signals DarkGate Surge