The group is seen using SparkRAT, a multi-platform remote access Trojan, to target firms in Hong Kong, Taiwan, China, and Singapore. Organizations in Taiwan, Hong Kong, Singapore, and China have been recently facing attacks from Chinese threat actor DragonSpark. The threat actor was observed using the open-source tool SparkRAT for its attacks, according to a report by SentinelOne. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the remote access Trojan (RAT) attractive to threat actors.DragonSpark was observed using Golang malware that interprets embedded GoLang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. “This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations,” SentinelOne noted. The infrastructure for staging the payloads is located in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses. The command-and-control (C2) servers are situated in Hong Kong and the US, the cybersecurity firm noted. Initial intrusion vectorThe initial indicators of the DragonSpark attacks were the compromised web servers, and MySQL database servers exposed to the internet. Exposing MySQL servers to the internet is an infrastructure posture flaw that can lead to data breaches, credential theft, or lateral movement across networks, SentinelOne noted. At the compromised server, researchers observed the use of China Chopper webshell, a webshell commonly used by Chinese threat actors. “After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure,” the report said. The threat actor was found to be using open-source tools such as SparkRAT, SharpToken, BadPotato, and GotoHTTP, which are developed by Chinese-speaking developers or Chinese vendors. “In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: Shellcode loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang,” SentinelOne said. The genesis of SparkRATSparkRAT is remote access Trojan developed by Chinese-speaking developer XZB-1248. The RAT is developed in Golang and released as open-source software. It supports Windows, Linux, and macOS operating systems. SparkRAT uses WebSocket protocol to communicate with the C2 server and features an upgrade system. This allows the RAT to automatically upgrade itself to the latest version available on the C2 server upon start-up by issuing an upgrade request. “This is an HTTP POST request, with the commit query parameter storing the current version of the tool,” researchers noted. In the attacks analyzed by the researchers, the SparkRAT version used was built on November 1, 2022, and deployed 26 commands. “Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future,” researchers said. DragonSpark also uses Golang-based m6699.exe, to interpret runtime encoded source code and launch a shellcode loader. This initial shellcode loader contacts the C2 server and executes the next-stage shellcode loader. Likely a Chinese-speaking threat actorBased on several indicators, the researchers say it is highly likely that DragonSpark is a Chinese-speaking threat actor. “We are unable at this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators. The actor may have espionage or cybercrime motivations,” the researchers said. In September 2022, researchers observed the Zegost malware communicating with the same C2 server that is being used by DragonSpark. Zegost malware is an info-stealer historically attributed to Chinese cybercriminals and has also been observed as part of espionage campaigns. Research by Weibu Intelligence Agency claimed that Chinese cybercrime actor FinGhost was using Zegost malware and a variant of the sample used by DragonSpark. The researchers also noted that the malware staging infrastructure is located exclusively in East Asia—Taiwan, Hong Kong, China, and Singapore, which is common amongst Chinese-speaking threat actors targeting victims in the region. “This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor,” SentinelOne noted. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe