A new string of attacks against East Asian organizations has been spotted by security researchers and attributed to the threat actor known as DragonSpark.
The campaign, discovered by SentinelLabs, uses the little-known open-source SparkRAT alongside malware tools to evade detection via source code interpretation techniques based on the Go programming language.
“The DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape,” reads a SentinelLabs advisory published earlier today.
“SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.”
According to the technical write-up by senior threat researcher Aleksandar Milenkoski, Microsoft had reported in late December 2022 indications of threat actors using SparkRAT. Still, the attacks seen by SentinelLabs do not seem connected to the activity documented by the tech giant.
“We observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms,” Milenkoski wrote.
“This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations.”
Further, after obtaining an initial foothold on infected systems, DragonSpark threat actors conducted various malicious activities, including lateral movement, privilege escalation and deployment of additional malware and tools.
“We observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors,” Milenkoski explained.
These tools include the privilege escalation tools SharpToken and BadPotato, together with the cross-platform remote access tool known as GotoHTTP, which provides capabilities like establishing persistence, file transfer and screen view.
“In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang,” reads the SentinelLabs’ technical write-up.
Milenkoski also added that since SparkRAT is a multi-platform with several features, it is likely that the tool will remain attractive to cyber-criminals and other threat actors in the future.
“SentinelLabs continues to monitor the DragonSpark cluster of activities and hopes that defenders will leverage the findings presented in this article to bolster their defenses.”