Source |
ProofPoint |
Identifiant |
8426708 |
Date de publication |
2023-12-21 05:00:25 (vue: 2023-12-21 11:08:01) |
Titre |
Battleroyal, le cluster Darkgate se propage par e-mail et les fausses mises à jour du navigateur BattleRoyal, DarkGate Cluster Spreads via Email and Fake Browser Updates |
Texte |
Overview
Throughout the summer and fall of 2023, DarkGate entered the ring competing for the top spot in the remote access trojan (RAT) and loader category. It was observed in use by multiple cybercrime actors and was spread via many methods such as email, Microsoft Teams, Skype, malvertising and fake updates.
Proofpoint researchers are tracking a particularly interesting operator of the DarkGate malware. At the time of publication, researchers are not attributing this cluster of activity to a known threat actor and are temporarily calling it BattleRoyal. Between September and November 2023, at least 20 email campaigns used DarkGate malware with GroupIDs “PLEX”, “ADS5”, “user_871236672” and “usr_871663321”. The GroupID is a configuration setting that is also referred to as username, botnet, campaign, or flag 23. The campaigns are notable for:
Delivery: via email and RogueRaticate fake browser updates
Volumes and geography: email campaigns include tens of thousands of emails targeting dozens of industries primarily in USA and Canada
Attack chain: includes a variety of notable tools such as 404 TDS, Keitaro TDS, and .URL files exploiting CVE-2023-36025
Volume of DarkGate campaigns based on four GroupIDs discussed in this report.
TDS all the things! (an email campaign example)
On October 2, 2023, Proofpoint identified one of the first campaigns in this cluster. It was notable due to the use of more than one traffic delivery system (TDS), specifically 404 TDS and Keitaro TDS. Additionally, the .URL files involved exploited CVE-2023-36025, a vulnerability in Windows SmartScreen. While other parts of the attack chain from this actor changed or varied, .URL files were involved in every campaign.
The emails in this campaign contained:
404 TDS URLs that, if clicked by the user, redirected to Keitaro TDS
Keitaro TDS was observed serving an internet shortcut (.URL) file
The internet shortcut, if double clicked, downloaded a zipped VBS script
The VBS in turn downloaded and executed several shell commands (cmd.exe)
The shell commands (a) created a directory on C: drive, (b) copied curl.exe from system folder to this new directory, (c) used the curl to download Autoit3.exe, (d) used curl to download and save an AutoIT script, and (e) ran the downloaded AutoIT script with the downloaded AutoIT interpreter
The AutoIT script ran an embedded DarkGate
Attack chain summary that follows the flow of: Email > 404 TDS > Keitaro TDS > .URL > .VBS > Shell commands > AutoIT / AutoIT script > DarkGate.
Screenshot of an example email from October 2 campaign.
Screenshot of the .URL file involved in the October 2 campaign.
Proofpoint has identified multiple cybercriminal campaigns exploiting CVE-2023-36025; however, the BattleRoyal cluster exploited this vulnerability more than any other actor observed in Proofpoint threat data. Notably, this activity cluster exploited CVE-2023-36025 before it was published by Microsoft. SmartScreen is a security feature that is designed to prevent people from visiting malicious websites. The vulnerability could allow an actor to bypass the SmartScreen defenses if a user clicked on a specially crafted .URL file or a hyperlink pointing to a .URL file. More specifically, a SmartScreen alert would not be triggered when a .URL points to a SMB or WebDav share as file:// and the malicious payload is inside a ZIP file which is specified in the URL target.
RogueRaticate (fake browser update campaign example)
On October 19, 2023, an external researcher identified and publicly shared details of the RogueRaticate fake update activity cluster using an interesting obfuscation technique first identified in 2020. Proofpoint subsequently identified the activity in Proofpoint data. This campaign delivered fake browser update requests to end users on their web browsers that dropped a DarkGate payload with the “ADS5” GroupID. The threat actor injected a request to a domain they controlled that used .css steganography to conceal the malicious c |
Envoyé |
Oui |
Condensat |
//5 //79 //adclick //heilee //kairoscounselingmi //nathumvida //searcherbigdealk 110 113 159 161 181 2020 2023 2023 2034559 2035892 2035895 2048089 2048098 2049316 2049317 2049320 2049321 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d 2827745 29@80/downloads/12 29@80/downloads/evervendor 2f5af97b13b077a00218c60305b4eee5d88d14a9bd042beed286434c3fc6e084 36025 36025; 36025 404 58:443 6e41c 7562c213f88efdb119a9bbe95603946ba3beb093c326c3b91e7015ae49561f0f 8415 871236672” 871663321” 8794132 96@80/downloads/bye 96ca146b6bb95de35f61289c2725f979a2957ce54761aff5f37726a85f2f9e77 above access activity activity actor actors additional additionally admin adopting alert aligns all allow also analysts another any are attack attempt attention attributing au3” autoit autoit3 based battleroyal been before besides between both botnet browser browsers but button bypass calling calls campaign campaigns can canada category chain chain: chains change changed checkin clicked cluster cmd cnc code com/qxz3l com/wp com/ com:2351/msizjbicvmd com:2351/zjbicvmd com:2351 command commands community compared competing compromised compromise com conceal conclusion configuration contained: content/uploads/astra/help/pr control controlled cookie: copied could crafted created creative crime css curl cve cybercrime cybercriminal darkgate darkgate data december defenses deliver delivered delivery delivery: described description designed details different directory discussed domain double doubleclick download downloaded downloader downloading downloads dozens drive dropped due e2a8a53e117f1dda2c09e5b83a13c99b848873a75b14d20823318840e84de243 ea8f893c080159a423c9122b239ec389939e4c3c1f218bdee16dde744e08188f early efficacy email emails embedded emerging enable end engineering entered environment established etpro every evolution example exe executable executed exe exe” exploited exploiting external fake fall fce452bcf10414ece8eee6451cf52b39211eb65ecaa02a15bc5809c8236369a4 feature file file:// files file file filter final first fjwwejmp5797 flag flow folder follow follows for: four from gain geography: geolocation get gradual groupid groupids has host host however hxxp hxxps hyperlink identified include includes including increasingly indicators indicator industries infected info information injected inside inspection install instead interesting internet interpreter involved its keirato keitaro known landscape late lateral lead least legitimate linked loader lookup lures make malicious malvertising malware many meanwhile methods microsoft more movement multiple net net/pcs/click netsupport new newly not notable notably november novemberqfrsqg65799kd&&adurl=hxxps nv28 obfuscation observed observed october of: one operator org/ other out overall overview paid particularly parts passed past payload payloads pdf people point pointing points policy popularity prevent primarily proofpoint publication publicly published ran rare rat reason redirected reduction referred remains remote replace report represents request requests request researcher researchers response retrieving ring rogueraticate save screenshot script script second security seen sept september served serving setting several sha256 share shared shell shortcut shows signatures similar simply skype smartscreen smb social specially specifically specified spike spot spread spreads steadily steal stealer steganography stenography subsequent subsequently such summary summer switch system target targeting targetof tds tds teams technique techniques temporarily temporary tens than then things thousands threat threats throughout time tool toolbelt tools top tracking traffic trend triggered trojan turn two types unique unwanted update updates updates url urls url url” usa use used user username users using varied variety various vbs vbs vbs” very visiting volume volumes vulnerability web webdav websites when which who windows would years zip zip/bye zip/evervendor zipped zxcdota2huysasi |
Tags |
Malware
Tool
Vulnerability
Threat
Prediction
|
Stories |
|
Notes |
★★
|
Move |
|