Organisations in Singapore, Taiwan, Hong Kong and China have been recently facing attacks from a Chinese threat actor DragonSpark. The threat actor was observed using open source tool SparkRAT for its attacks, according to a report by SentinelOne.
SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the Remote Access Trojan (RAT) attractive to threat actors.
DragonSpark was observed using Golang malware that interprets embedded GoLang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms.
“This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations,” SentinelOne noted.
The infrastructure for staging the payloads is located in Singapore, Taiwan, Hong Kong and China, some of which belong to legitimate businesses. The command-and-control (C2) servers are situated in Hong Kong and the US, the cyber security firm noted.
Initial intrusion vector
The initial indicators of the DragonSpark attacks were the compromised web servers, and MySQL database servers exposed to the internet.
Exposing MySQL servers to the internet is an infrastructure posture flaw that can lead to data breaches, credential theft, or lateral movement across networks, SentinelOne noted. At the compromised server, researchers observed the use of China Chopper webshell, a webshell commonly used by Chinese threat actors.
“After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure,” the report said.
The threat actor was found to be using open source tools such as SparkRAT, SharpToken, BadPotato and GotoHTTP, which are developed by Chinese-speaking developers or Chinese vendors.
“In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: Shellcode loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang,” SentinelOne noted.
The genesis of SparkRAT
SparkRAT is remote access trojan developed by Chinese-speaking developer XZB-1248. The RAT is developed in Golang and released as open source software. It supports Windows, Linux, and macOS operating systems.
SparkRAT uses WebSocket protocol to communicate with the C2 server, and features an upgrade system. This allows the RAT to automatically upgrade itself to the latest version available on the C2 server upon start-up by issuing an upgrade request.
“This is an HTTP POST request, with the commit query parameter storing the current version of the tool,” researchers noted.
In the attacks analysed by the researchers, the SparkRAT version used was built on November 1, 2022 and deployed 26 commands.
“Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future,” researchers said.
DragonSpark also uses Golang-based m6699.exe, to interpret runtime encoded source code and launch a shellcode loader. This initial shellcode loader contacts the C2 server and executes the next-stage shellcode loader.
Likely a Chinese-speaking threat actor
Based on several indicators, the researchers say it is highly likely that DragonSpark is a Chinese-speaking threat actor. “We are unable at this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators. The actor may have espionage or cybercrime motivations,” the researchers said.
In September 2022, researchers had observed the Zegost malware communicating with the same C2 server that is being used by DragonSpark. Zegost malware is an info-stealer historically attributed to Chinese cybercriminals, and also been observed as part of espionage campaigns.
Research by Weibu Intelligence Agency claimed that Chinese cybercrime actor FinGhost was using Zegost malware, and a variant of the sample used by DragonSpark.
The researchers also noted that the malware staging infrastructure is located exclusively in Singapore, Taiwan, Hong Kong and China which is common amongst Chinese-speaking threat actors targeting victims in the region.
“This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor,” SentinelOne noted.