A new series of attacks against organizations in East Asia have been discovered by security researchers and attributed to a threat actor known as DragonSpark.
campaign discovered by sentinel labuses the little-known open-source SparkRAT along with malware tools to evade detection through source code interpretation techniques based on the Go programming language.
“The DragonSpark attack represents the first concrete malicious activity we have observed consistent use of the open-source SparkRAT. Read the advisory.
“SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to attackers.”
According to a technical article by Senior Threat Researcher Aleksandar Milenkoski: Microsoft reported Signs of threat actors using SparkRAT in late December 2022. Still, the attacks confirmed by SentinelLabs do not appear to be related to the activity recorded by the tech giant.
“The threat actors behind the DragonSpark attack are using Golang malware that interprets embedded Golang source code at runtime as a technique to thwart static analysis and evade detection by static analysis mechanisms. confirmed,” writes Milenkoski.
“This unusual technique provides threat actors with yet another means of evading detection mechanisms by obfuscating the malware implementation.”
Additionally, after gaining an initial foothold in infected systems, DragonSpark threat actors performed a variety of malicious activities, including lateral movement, privilege escalation, and deployment of additional malware and tools.
“We observed that the attackers relied heavily on open source tools developed by Chinese-speaking developers and Chinese vendors,” explains Milenkoski.
These tools include the privilege escalation tools SharpToken and BadPotato, along with a cross-platform remote access tool called GotoHTTP that provides features such as persistence establishment, file transfer, and screen viewing.
“In addition to the above tools, the threat actor used two custom-built malware to execute malicious code: ShellCode_Loader, implemented in Python and distributed as a PyInstaller package; and ShellCode_Loader, implemented in Golang. m6699.exe,” reads the SentinelLabs technical documentation. -Up.
Milenkoski also added that SparkRAT is multi-platform with multiple capabilities, so the tool is likely to remain attractive to cybercriminals and other threat actors in the future.
“SentinelLabs continues to monitor DragonSpark cluster activity and believes defenders This article to strengthen their defenses. “
The recommendation is that researchers should lumen Technologies found another malware tool written in Golang, Nicknamed “Chaos.“
