Recently, an attack campaign has been found targeting organizations in East Asia with the little-known open-source tool SparkRAT. Attackers are leveraging the compromised infrastructure of genuine organizations such as a baby product retailer, an art gallery, and games and gambling sites located in China, Hong Kong, Singapore, and Taiwan to stage SparkRAT, along with other tools and malware.
Vulnerable infrastructure
SentinelOne researchers linked the tools and tactics used in the campaign, tracked as DragonSpark, to Chinese-speaking threat actors.
The attackers abuse web servers and MySQL database servers exposed to the internet for initial access and use China Chopper to deploy webshells through SQL injection, cross-site scripting, or web server vulnerabilities.
Hackers can instigate several malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled C2 infrastructure.
SparkRAT’s dominance
SparkRAT is a Golang-based multi-platform tool that supports Windows, Linux, and mac operating systems.
In the recent attacks, the threat actor used a SparkRAT variant built on November 1, 2022. It supports 26 commands that implement a wide range of functionalities such as command execution system manipulation, file and process manipulation, and information theft.
Moreover, the tool features an upgrade system and uses the WebSocket protocol to communicate with the C2 server. This enables it to automatically upgrade itself to the latest version available on the C2 server upon startup by issuing an upgrade request.
Relying on open-source tools
These attackers are heavily relying on many other open-source tools such as BadPotato, SharpToken, GotoHTTP, ShellCode_Loader, and m6699[.]exe - all of which have been developed by Chinese vendors
BadPotato and SharpToken are privilege escalation tools that enable the execution of Windows commands with SYSTEM privileges.
GotoHTTP is a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.
The group used a custom-built malware named ShellCode_Loader for executing malicious code. It is implemented in Python and delivered as a PyInstaller package.
Another notable custom-built Golang malware is m6699[.]exethat implements Golang source code interpretation at runtime. This uncommon technique allows the threat actors to hinder static analysis and evade detection by static analysis mechanisms.
Chinese hackers are sharing tools
The above-mentioned open-source tools are previously leveraged by many other Chinese threat actors in their attack campaigns.
In late December 2022, Microsoft reported on indications of threat actors using SparkRAT. However, there is no evidence linking these two activities.
Zegost, an info-stealer malware historically attributed to Chinese cybercriminal group FinGhost, targeted a Chinese governmental entity in September 2022. Notably, researchers found a common C2 IP address between Zegost and DragonSpark attacks.
Historically, China Chopper webshell has been used by Chinese cybercriminals and espionage groups, such as the TG-3390 and Leviathan.
Conclusion
DragonSpark abuses open-source software and Golang-based malware to evade detection mechanisms by obfuscating malware implementations. This indicates that Chinese-speaking threat actors are still actively expanding their arsenal and sharing tools with each other to launch successful attacks. Experts estimate SparkRAT will remain attractive to cybercriminals and other threat actors in the future.