DragonSpark: A Chinese-Speaking Threat Actor Utilizing SparkRAT Malware to Target East Asian Organizations

DragonSpark: A Chinese-Speaking Threat Actor Utilizing SparkRAT Malware to Target East Asian Organizations

In recent months, a new cluster of attacks targeting organizations in East Asia has been identified by cybersecurity firm SentinelOne. Dubbed "DragonSpark," the attacks are believed to be carried out by a Chinese-speaking actor and employ uncommon tactics to evade detection. One of the key tools used in these attacks is a little-known open-source malware called SparkRAT.

SparkRAT is a remote access trojan (RAT) developed in the Golang programming language and released as open-source software by a Chinese-speaking developer. The malware is multi-platform, feature-rich, and frequently updated with new features, making it an attractive option for threat actors. The Microsoft Security Threat Intelligence team reported on indications of SparkRAT being used in attacks in late December 2022, but DragonSpark is the first concrete malicious activity where consistent use of the malware has been observed.

The DragonSpark attacks are characterized by the use of SparkRAT and malware that attempts to evade detection through Golang source code interpretation. This technique involves interpreting embedded Golang source code at runtime, hindering static analysis and evading detection by static analysis mechanisms. This provides threat actors with another means to evade detection and obfuscate malware implementations.

Initial access to the targeted organizations is achieved by compromising internet-exposed web servers and MySQL database servers, using the China Chopper web shell. This web shell is commonly used by Chinese threat actors and is recognizable by the "&echo [S]&cd&echo [E]" sequence in virtual terminal requests. Once access is gained, the threat actor conducts a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.

The threat actors heavily rely on open-source tools that are developed by Chinese-speaking developers or Chinese vendors. In addition to SparkRAT, other tools used in the attacks include SharpToken, a privilege escalation tool that enables the execution of Windows commands with SYSTEM privileges, BadPotato, a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution, and GotoHTTP, a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.

The attackers also use two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang. The m6699.exe malware is particularly noteworthy as it interprets the source code contained within it at runtime, allowing it to fly under the radar and launch a shellcode loader that contacts a command-and-control (C2) server to fetch and execute the next-stage shellcode.

The DragonSpark attackers also freely adopt other organizations' infrastructure, puppeteering servers located in China, Hong Kong, Singapore, and Taiwan, many of which are hosted by legitimate businesses, including an art gallery, a retailer for baby products, and companies in the gaming and gambling industries. The command-and-control servers used by the attackers are located in Hong Kong and the United States.

The end goals of the DragonSpark actors remain unknown, although espionage or cybercrime is likely to be the motive. The ties to China stem from the use of the China Chopper web shell to deploy malware and the use of open-source tools and infrastructure developed by Chinese-speaking developers or Chinese vendors.

Tactics, Techniques, and Procedures (TTPs)

• Compromising internet-exposed web servers and MySQL database servers using the China Chopper webshell
• Using open-source tools developed by Chinese-speaking developers or Chinese vendors
• Utilizing Golang malware that interprets embedded Golang source code at runtime to evade detection
• Conducting lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure
• Leveraging compromised infrastructure located in China and Taiwan to stage attacks
• Using command-and-control servers located in Hong Kong and the United States
• Adopting other organizations' infrastructure for staging malware, including legitimate businesses.

Indicators of compromise (IOCs)

• File Hashes:ShellCode_Loader (a PyInstaller package): 83130d95220bc2ede8645ea1ca4ce9afc4593196
• m6699.exe: 14ebbed449ccedac3610618b5265ff803243313d
• SparkRAT: 2578efc12941ff481172dd4603b536a3bd322691
• Command and Control (C2) server network endpoints:ShellCode_Loader: 103.96.74.148:8899
• SparkRAT: 103.96.74.148:6688
• m6699.exe: 103.96.74.148:6699
• C2 server IP address for China Chopper: 104.233.163.190
• Staging URLs:ShellCode_Loader: hxxp://211.149.237.108:801/py[.]exe
• m6699.exe: hxxp://211.149.237.108:801/m6699[.]exe
• SparkRAT: hxxp://43.129.227.159:81/c[.]exe
• GotoHTTP: hxxp://13.213.41.125:9001/go[.]exe
• ShellCode_Loader: hxxp://www.bingoplanet.com.tw/images/py[.]exe
• ShellCode_Loader: hxxps://www.moongallery.com.tw/upload/py[.]exe
• ShellCode_Loader: hxxp://www.holybaby.com.tw/api/ms[.]exe

It is important to note that these IOCs may change over time and may not be active anymore, and also it is recommended to consult with security experts to validate the authenticity of these IOCs and take appropriate actions.