According to cybersecurity company SentinelOne, a Chinese threat actor known as DragonSpark has been exploiting the open source remote administration tool (RAT) SparkRAT in recent attacks on East Asian enterprises.
SparkRAT, a relatively new RAT that can run on Windows, Linux, and macOS systems, can update itself with new versions that are made available through its command and control (C&C) server. SparkRAT is written in the Go programming language. The threat supports over 20 commands that it can employ to carry out operations, take control of the infected machine, alter processes and files, and steal various forms of information. It communicates with the C&C server via the WebSocket protocol.
Although it appears that several adversaries are using the malware, SentinelOne claims that DragonSpark is the first activity cluster in which SparkRAT has been consistently employed in attacks. The attackers were also observed utilising two unique malware families, ShellCode Loader and m6699.exe, as well as the China Chopper webshell and other malware tools developed by Chinese programmers, such as BadPotato, GotoHTTP, SharpToken, and XZB-1248.
The m6699.exe virus used the Yaegi framework to “interpret at runtime encoded Golang source code embedded within the produced binary, executing the code as if compiled” in order to avoid detection, according to SentinelOne. Following initial breach, DragonSpark was observed moving laterally, escalating privileges, and spreading further malware hosted on attacker-controlled infrastructure. It was observed targeting web servers and MySQL database servers.
The cybersecurity company has seen DragonSpark exploiting legitimate Taiwanese businesses’ compromised infrastructure to stage malware, including an art gallery, a retailer of baby items, and gaming and gambling websites. While its C&C servers are situated in Hong Kong and the US, DragonSpark also uses malware staging infrastructure in China, Hong Kong, and Singapore.
SentinelOne determines that DragonSpark is a Chinese-speaking adversary with a concentration on either espionage or cybercrime based on the architecture and tools utilised. One of their C&C IPs was previously connected to the Zegost malware, an information thief used by Chinese threat actors.