The group is seen using SparkRAT, a multi-platform remote access Trojan, to target firms in Hong Kong, Taiwan, China, and Singapore. Organizations in Taiwan, Hong Kong, Singapore, and China have been recently facing attacks from Chinese threat actor DragonSpark. The threat actor was observed using the open-source tool SparkRAT for its attacks, according to a report by SentinelOne. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the remote access Trojan (RAT) attractive to threat actors.DragonSpark was observed using Golang malware that interprets embedded GoLang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. “This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations,” SentinelOne noted. The infrastructure for staging the payloads is located in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses. The command-and-control (C2) servers are situated in Hong Kong and the US, the cybersecurity firm noted. Initial intrusion vectorThe initial indicators of the DragonSpark attacks were the compromised web servers, and MySQL database servers exposed to the internet. Exposing MySQL servers to the internet is an infrastructure posture flaw that can lead to data breaches, credential theft, or lateral movement across networks, SentinelOne noted. At the compromised server, researchers observed the use of China Chopper webshell, a webshell commonly used by Chinese threat actors. “After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure,” the report said. The threat actor was found to be using open-source tools such as SparkRAT, SharpToken, BadPotato, and GotoHTTP, which are developed by Chinese-speaking developers or Chinese vendors. “In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: Shellcode loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang,” SentinelOne said. The genesis of SparkRATSparkRAT is remote access Trojan developed by Chinese-speaking developer XZB-1248. The RAT is developed in Golang and released as open-source software. It supports Windows, Linux, and macOS operating systems. SparkRAT uses WebSocket protocol to communicate with the C2 server and features an upgrade system. This allows the RAT to automatically upgrade itself to the latest version available on the C2 server upon start-up by issuing an upgrade request. “This is an HTTP POST request, with the commit query parameter storing the current version of the tool,” researchers noted. In the attacks analyzed by the researchers, the SparkRAT version used was built on November 1, 2022, and deployed 26 commands. “Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future,” researchers said. DragonSpark also uses Golang-based m6699.exe, to interpret runtime encoded source code and launch a shellcode loader. This initial shellcode loader contacts the C2 server and executes the next-stage shellcode loader. Likely a Chinese-speaking threat actorBased on several indicators, the researchers say it is highly likely that DragonSpark is a Chinese-speaking threat actor. “We are unable at this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators. The actor may have espionage or cybercrime motivations,” the researchers said. In September 2022, researchers observed the Zegost malware communicating with the same C2 server that is being used by DragonSpark. Zegost malware is an info-stealer historically attributed to Chinese cybercriminals and has also been observed as part of espionage campaigns. Research by Weibu Intelligence Agency claimed that Chinese cybercrime actor FinGhost was using Zegost malware and a variant of the sample used by DragonSpark.The researchers also noted that the malware staging infrastructure is located exclusively in East Asia—Taiwan, Hong Kong, China, and Singapore, which is common amongst Chinese-speaking threat actors targeting victims in the region. “This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor,” SentinelOne noted. Related content feature Finding the perfect match: What CISOs should ask before saying ‘yes’ to a job Sometimes it's not really clear why a company wants to hire a CISO or the role lacks authority. There are some key questions that CISOs can ask to avoid taking a job with too many red flags. By Aimee Chanthadavong Apr 29, 2024 8 mins CSO and CISO Careers opinion Navigating personal liability: post data-breach recommendations for CISOs CISOs can avoid being liable for data breaches by following legal advice, communicating effectively with internal and external stakeholders, and demonstrating commitment to avoid future incidents. By Daniel B. Garrie and Richard A Kramer Apr 29, 2024 8 mins CSO and CISO Data Breach Legal news 2024 CSO30 ASEAN Awards: Call for nominations By Xiou Ann Lim Apr 29, 2024 2 mins Security feature The biggest data breach fines, penalties, and settlements so far Hacks and data thefts, enabled by weak security, cover-ups or avoidable mistakes have cost these companies a total of nearly $4.4 billion and counting. By Shweta Sharma and Michael Hill Apr 26, 2024 16 mins Data Breach Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe