A new threat actor has spent the last few months ramping up attacks involving the DarkGate and NetSupport malware, and this is set to increase further. 

The name of this new threat actor is BattleRoyal, and between September and November 2023, they launched numerous attacks. These attacks featured the DarkGate and NetSupport malware, both powerful strains of malware. DarkGate employs multiple malicious activities such as keylogging, data theft, and cryptocurrency mining. Meanwhile, NetSupport – which is a legitimate application – is being exploited and repurposed as a remote access trojan, which gives threat actors unauthorized access to IT systems. 

DarkGate and NetSupport both have the potential to cause great damage to your IT infrastructure and the security of your data. This means you need to know how to identify and deal with them. 

BattleRoyal’s Malware Campaign 

BattleRoyal appears to have launched its first wave of attacks in September 2023. This campaign involved email techniques to unleash the DarkGate malware on unsuspecting victims. At least 20 instances of this attack have been recorded, but it’s highly likely that more users were infected. Perhaps due to the noise that DarkGate was creating, BattleRoyal quickly switched its choice of weaponry to NetSupport in November. As well as using email campaigns to spread NetSupport, BattleRoyal also employed malicious websites and fake updates to infect PC users. 

DarkGate is also notable for taking advantage of a vulnerability located in Windows SmartScreen. The main objective of SmartScreen is to protect users from accessing malicious websites. However, BattleRoyal were able to work around this by using a special URL which, due to the vulnerability in SmartScreen, gave users access to a malicious website. Clearly a sophisticated threat actor, BattleRoyal had discovered this vulnerability – logged as CVE-2023-36025 – long before Microsoft acknowledged its existence. 

How to Stay Safe from BattleRoyal 

Microsoft has since launched a security patch to combat the CVE-2023-36025 vulnerability, and installing this remains the surest way to combat the activity of DarkGate. However, given that BattleRoyal has used a multi-pronged attack, with NetSupport being used to download further malware, you can’t rely on patches alone. Vigilance, as ever, is vital. Therefore, you need to practice these best security tips to prevent any infections: 

  • Beware of phishing emails: one of the most popular ways to breach the defenses of IT infrastructures involves phishing emails. Not only can these emails be used to steal confidential information through social engineering techniques, but they can also be used to direct recipients towards malicious websites and files. Therefore, it’s important that everyone in your organization can identify phishing emails
     
  • Always install updates: although BattleRoyal was able to identify the SmartScreen vulnerability before the availability of a patch, this doesn’t mean you should minimize the importance of updates. All updates should be installed as soon as they’re available, activating automatic updates is the best way to guarantee that your defenses are fully up-to-date. 
     
  • Use security software: reputable security software is one of the simplest, yet most effective ways to protect your IT systems against malware. Capable of identifying and removing malware before it’s activated, anti-malware tools should be an essential part of your IT defenses. As well as carrying out automatic scans of your system, many of these security suites feature screening tools to warn against malicious websites and emails. 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


A new strain of malware called Agent Raccoon has been discovered, and it appears to have been launched by nation-state threat actors.

A wide range of different organizations – based in sectors such as education, government, non-profit, and telecommunications – have fallen victim to Agent Raccoon. And these organizations aren’t based purely in the US, with attacks also discovered in African and the Middle East. Clearly, Agent Raccoon is an ambitious piece of malware and, given the nation-state approach of the attack, it’s one to be on your guard against.

How Does Agent Raccoon Work?

Although the exact identity of the threat actors behind Agent Raccoon remains unknown, security researchers have been able to detail how the malware works. Disguised as either a Microsoft OneDrive Update or Google Update, Agent Raccoon tricks unwitting victims into downloading an executing it. Once initiated, Agent Raccoon launches its backdoor attack. Using Domain Name Service protocols, Agent Raccoon can communicate directly with the command-and-control server set up by its creators.

Primarily, Agent Raccoon focuses its malicious attention on three main areas:

  • Opening up remote access to the infected PC
  • Incoming and outgoing file transfers
  • Remote command execution

However, Agent Raccoon’s activities do not appear to be set in stone. Researchers have discovered numerous variants of Agent Raccoon, suggesting that the threat actors are regularly updating it.

Can Agent Raccoon Be Stopped?

Agent Raccoon isn’t the most persistent piece of malware to have been developed, but it remains a major problem for those that it infects. As ever, maintaining strict security practices is vital for protecting your IT infrastructure. Accordingly, you need to make sure that all members of your organization are fully versed in the following:

  • Question all emails and links: even if an email appears to have been sent by a trusted source, this can easily be faked. Therefore, all incoming emails should be scrutinized closely. This means hovering your mouse cursor over any links to reveal their true destination, double checking email addresses to confirm they are correct and not a close variation, and contacting the sender of emails to double check they are genuine.
  • Only accept updates from genuine sources: software updates are an important aspect of PC security but should only even be downloaded directly from the developer. Online adverts and emails suggesting that you download these from alternative sources should never be trusted. Often, the files at the heart of these downloads are nothing but malware. So, stick to legitimate downloads and rest assured that they will be safe.
  • Monitor network traffic: Agent Raccoon communicates with a remote server and also transmits significant amounts of data. This means that you should be monitoring your network activity for any unusual traffic. If, for example, an unknown destination regularly starts connecting with your network, it could be a sign that your network has been compromised. In these situations, connections to this destination should be terminated and fully investigated.

For more ways to secure and optimize your business technology, contact your local IT professionals

Read More


Threat actors have turned to Facebook ads to unleash NodeStealer on unsuspecting victims, and they’re using scantily clad women to achieve this. 

Facebook is no stranger to finding its ad network compromised to spread malware, but what’s interesting about this latest campaign is that it primarily targets males. At the core of this attack is NodeStealer, a strain of malware which has been active for several months. However, NodeStealer has changed. At the start of its existence, it was designed in JavaScript, but it’s now being coded with the Python programming language. 

NodeStealer is part of a wider campaign, believed to have its origins in Vietnam, to steal sensitive data, and it’s more than worthy of your attention. 

How Does NodeStealer Target its Victims? 

Using marketing strategies almost as old as time, the threat actors behind NodeStealer have used the provocative lure of female flesh to entice their victims. Taking advantage of the massive reach of Facebook’s ad network, these threat actors have created adverts which contain revealing photos of young women. The objective of these adverts is to encourage people to click on them, a process which will download an archive of malicious files. 

One of these files is called Photo Album.exe but, far from containing any photos, it simply downloads a further executable file which unleashes NodeStealer. With NodeStealer running rampant on an infected system, it will begin harvesting login credentials and, in particular, it will attempt to take control of Facebook business accounts. With further business accounts compromised, NodeStealer can launch even more malicious ad campaigns and spread itself further. 

Stay Safe from the Threat of NodeStealer 

NodeStealer is a classic example of malware deceiving its victims to achieve its goal. And it’s not surprising to hear that the 18 – 65 male demographic have made up the majority of its victims. Regardless of the bait, however, NodeStealer provides us with a number of interesting lessons to learn. The most important takeaways should be: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


Malware and flies share one thing in common: they’re pesky. However, while flies help the ecosystem, the Striped Fly malware is nothing but trouble. 

Striped Fly has recently hit the headlines, but Kaspersky has revealed they’ve found evidence of its malicious activity dating back to 2017. Unfortunately, no one had been aware of its true identity until now. This means Striped Fly has enjoyed a five-year campaign where not even a single security researcher knew of its existence. And Kaspersky estimate that this invisibility has allowed it to infect over one million Windows and Linux hosts.  

In 2017, Striped Fly was mistakenly labelled as a cryptocurrency miner, falling under the Monero trojan family. Subsequent findings, however, have revealed that Striped Fly is much more sophisticated. 

What is Striped Fly?

Striped Fly’s exact mechanism is not fully understood at present, but researchers believe they know how it operates. It’s suspected that the threat actors exploited an EternalBlue SMBv1 exploit to gain a foothold in internet facing PCs. After discovering evidence of Striped Fly within the WININIT.exe application – used to help load subsystems within Windows – Kaspersky determined that it then downloads further files. 

These files typically come from online software depositories such as GitHub and BitBucket. These are used to build the final Striped Fly payload. Cleverly, Striped Fly comes with Tor network capabilities to encrypt its communications. Tor, of course, is an internet router service used to encrypt data transferred over its network. And this is part of the reason why Striped Fly remained hidden for so long. 

The main talking point about Striped Fly is its sophistication and wide range of functions. Striped Fly is capable of harvesting login credentials, taking unauthorized screenshots of infected devices, stealing Wi-Fi network configuration details, transferring files to remote sources, and recording microphone output. Clearly, it poses a significant threat to all PC users. 

Swatting Striped Fly Away 

Striped Fly’s half-decade long campaign has proved to be highly successful. Accordingly, your organization needs to be on its guard against Striped Fly and any similar threats. Kaspersky hasn’t revealed a specific fix for Striped Fly but, as ever, vigilance and good security practices are key. So, make sure the following is part of your established cybersecurity strategy: 

For more ways to secure and optimize your business technology, contact your local IT professionals. 

Read More


The threat of malware strikes the business world again, and this time it’s using LinkedIn to trick users into downloading the DarkGate malware. 

LinkedIn is designed to help professionals connect with each other and build professional relationships. It’s proven to be wildly popular, with 950 million members currently registered on the platform. 

But where there are huge numbers of users, there will also be large amounts of data. And this data is like catnip to threat actors. This is why fake LinkedIn posts have started appearing on the platform. These posts, as well as a campaign of direct messages, are far from informative for the users of LinkedIn. Instead, they are being used to trick LinkedIn users, primarily those who hold positions within the social media niche, to download malware. 

Unveiling the Essentials of DarkGate on LinkedIn 

Security experts have been aware of DarkGate since 2017, but it was considered a low-level threat due to its limited activity in the digital wild. However, this changed in June 2023, when its creator began selling it as Malware-as-a-Service package. Since then, a campaign using DarkGate has been launched by threat actors, believed to be working in Vietnam, which targets LinkedIn users. 

Mostly, these users have consisted of social media managers operating in the US, the UK, and India. Using LinkedIn posts, or sending direct messages to targets, the threat actors propose that a job offer at Corsair is on the table. LinkedIn is a highly popular recruitment tool, so there’s nothing out of the ordinary with these initial contacts. However, the targets are encouraged into downloading malicious documents, such as a Word document containing a job description and a text file discussing salary details. 

Within these documents are malicious links. Once clicked, these links lead to a series of scripts being launched which are used to build DarkGate. The malware’s first move is to start uninstalling security tools located on the infected system. DarkGate’s next step is to begin harvesting data from the compromised system. In particular, DarkGate appears to be targeting login credentials for Facebook business accounts, hence the focus on social media managers. 

Protecting Your Credentials from DarkGate 

If you’re a social media manager and regularly log on to LinkedIn, the advice is simple: stay away from any links relating to job offers for Corsair. Unfortunately, the threat actors are likely to change the details of their attack now that it’s started generating headlines. Nonetheless, you can still do the following to protect your credentials: 

For more ways to secure and optimize your business technology, contact your local IT professionals.

Read More

1 3 4 5 6 7 29