Organizations in East Asia have been targeted by attackers who are believed to speak Chinese. dragon spark Employs unusual tactics to get past security layers.
“The attacks are characterized by the use of the little-known open-source SparkRAT and malware that attempts to evade detection through interpretation of Golang source code,” SentinelOne said in an analysis published today.
A salient aspect of the intrusion is the consistent use of SparkRAT to perform a variety of activities, including stealing information, controlling infected hosts, and executing additional PowerShell instructions.
While espionage or cybercrime are likely motives, the attacker’s ultimate goal remains unknown. DragonSpark’s ties to China stem from its use of the China Chopper web shell to deploy malware, a widely used attack vector among Chinese actors.
Furthermore, not only are the open-source tools used in cyberattacks originating from developers or companies with ties to China, the infrastructure for staging payloads is located in Taiwan, Hong Kong, China, and Singapore. Some of them belong to legitimate companies. .
Meanwhile, command-and-control (C2) servers are located in Hong Kong and the United States, the cybersecurity firm said.
The first method of access involves compromising an Internet-facing web server and a MySQL database server to drop the China Chopper web shell. It then leverages this scaffolding to perform lateral movement, privilege escalation, and malware deployment using open source tools such as SharpToken, BadPotato, and GotoHTTP.
The host also has custom malware that can execute arbitrary code and SparkRAT, a cross-platform remote access Trojan that can execute system commands, manipulate files and processes, and siphon information of interest. Delivered.
Another malware of note is the Golang-based m6699.exe. m6699.exe launches a shellcode loader designed to interpret the contained source code at runtime, fly under the radar and connect to C2 servers to retrieve and execute the next stage To do. shell code.
“Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns,” the researchers conclude.
“Since SparkRAT is a multi-platform, feature-rich tool and is regularly updated with new features, we estimate that the RAT will continue to be attractive to cybercriminals and other threat actors in the future.”
