DarkGate Malware, also known as BattleRoyal, spreads through weaponized fake browser updates and emails. Once installed, it permits the download and execution of further malware.
According to Proofpoint, a new malware has been discovered that is designed to download additional malware directly into the memory of both 32- and 64-bit systems. The malware is created using Delphi, and its unique characteristic is that it does not reside in the file system, making it harder to detect.
The report states that a total of 20 email campaigns have been identified to have utilized the DarkGate malware. These campaigns were distinguished by GroupIDs such as “PLEX”, “ADS5”, “user_871236672”, and “usr_871663321”.
GroupID is a configuration parameter that uniquely identifies your project across all projects, also known as username, botnet, campaign, or flag 23.
- Delivery
- Volumes and geography
- Attack chain
For instance, the RogueRaticate fraudulent update activity cluster uses a tricky obfuscation method originally discovered in 2020.
End users’ web browsers were infected with a DarkGate payload through fraudulent browser update requests. The threat actor inserted a request to a domain under their control, hiding the malicious code using steganography with the GroupID “ADS5”.
To prevent detection, sensitive information can be concealed using steganography within a regular, non-secret file or message. At its destination, the sensitive data will subsequently be removed from the regular file or communication, preventing discovery.
In the meantime, the stenographer will send a request to a Keitaro domain owned by the actor to filter out any unwanted traffic.
The fake browser update is designed for users who bypass traffic inspection, and clicking the update button installs malware on their browser.