By Aleksandar Milenkoski, Joey Chen, and Amitai Ben Shushan Ehrlich
Executive Summary
- SentinelLabs tracks a cluster of recent opportunistic attacks against organizations in East Asia as DragonSpark.
- SentinelLabs assesses it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks.
- The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT.
- The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation.
- The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.
Overview
SentinelLabs has been monitoring recent attacks against East Asian organizations we track as ‘DragonSpark’. The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
The DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.
The Microsoft Security Threat Intelligence team reported in late December 2022 on indications of threat actors using SparkRAT. However, we have not observed concrete evidence linking DragonSpark to the activity documented in the report by Microsoft.
We observed that the threat actor behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations.
Intrusion Vector
&echo [S]&cd&echo [E]After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure. We observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT as well as other tools, such as:
In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang.
SparkRAT
SparkRAT is a RAT developed in Golang and released as open source software by the Chinese-speaking developer XZB-1248. SparkRAT is a feature-rich and multi-platform tool that supports the Windows, Linux, and macOS operating systems.
SparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server upon startup by issuing an upgrade request. This is an HTTP POST request, with the commit query parameter storing the current version of the tool.
6920f726d74efb7836a03d3acfc0f23af196765e- Command execution: including execution of arbitrary Windows system and PowerShell commands.
- System manipulation: including system shutdown, restart, hibernation, and suspension.
- File and process manipulation: including process termination as well as file upload, download, and deletion.
- Information theft: including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration.
Golang Source Code Interpretation For Evading Detection
The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled. This is a technique for hindering static analysis and evading detection by static analysis mechanisms.
The main purpose of m6699.exe is to execute a first-stage shellcode that implements a loader for a second-stage shellcode.
m6699.exe first decodes a Base-64 encoded string. This string is Golang source code that conducts the following activities:
MainRunrun.Mainrun.MainHEAP_CREATE_ENABLE_EXECUTErun.Mainrun.Mainrun.MainThe first-stage shellcode implements a shellcode loader. The shellcode connects to a C2 server using the Windows Sockets 2 library and receives a 4-byte big value. This value is the size of a second-stage shellcode for which the first-stage shellcode allocates memory of the received size. The first-stage shellcode then receives from the C2 server the second-stage shellcode and executes it.
When m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.
ShellCode_Loader
ShellCode_Loader is the internal name of a PyInstaller-packaged malware that is implemented in Python. ShellCode_Loader serves as the loader of a shellcode that implements a reverse shell.
ShellCode_Loader uses encoding and encryption to hinder static analysis. The malware first Base-64 decodes and then decrypts the shellcode. ShellCode_Loader uses the AES CBC encryption algorithm, and Base-64 encoded AES key and initialization vector for the decryption.
ShellCode_Loader uses the Python ctypes library for accessing the Windows API to load the shellcode in memory and start a new thread that executes the shellcode. The Python code that conducts these activities is Base-64 encoded in an attempt to evade static analysis mechanisms that alert on the use of Windows API for malicious purposes.
The shellcode creates a thread and connects to a C2 server using the Windows Sockets 2 library. When the shellcode executes, the threat actor can establish a Meterpreter session for remote command execution.
Infrastructure
The DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware. The C2 servers were located in Hong Kong and the United States.
The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites. We also observed an Amazon Cloud EC2 instance as part of this infrastructure.
The tables below provide an overview of the infrastructure used in the DragonSpark attacks.
Malware staging infrastructure
172_19_0_3King of VP$SellerVPSEC2AMAZ-4559AU9C2 server infrastructure
CLOUD2012R2Premium AccIRANHACKERS!Only For Votersjiance.ittoken[.]xyzWIN-CLC0OFDKTMKkanmn[.]cnAttribution Analysis
We assess it is highly likely that a Chinese-speaking threat actor is behind the DragonSpark attacks. We are unable at this point to link DragonSpark to a specific threat actor due to lack of reliable actor-specific indicators.
104.233.163[.]190In addition, the threat actor behind DragonSpark used the China Chopper webshell to deploy malware. China Chopper has historically been consistently used by Chinese cybercriminals and espionage groups, such as the TG-3390 and Leviathan. Further, all of the open source tools used by the threat actor conducting DragonSpark attacks are developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT by XZB-1248, SharpToken and BadPotato by BeichenDream, and GotoHTTP by Pingbo Inc.
Finally, the malware staging infrastructure is located exclusively in East Asia (Taiwan, Hong Kong, China, and Singapore), behavior which is common amongst Chinese-speaking threat actors targeting victims in the region. This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor.
Conclusions
Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns. The little known SparkRAT that we observed in the DragonSpark attacks is among the newest additions to the toolset of these actors.
Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future.
In addition, threat actors will almost certainly continue exploring techniques and specificalities of execution environments for evading detection and obfuscating malware, such as Golang source code interpretation that we document in this article.
SentinelLabs continues to monitor the DragonSpark cluster of activities and hopes that defenders will leverage the findings presented in this article to bolster their defenses.
Indicators of Compromise
| Description | Indicator |
| ShellCode_Loader (a PyInstaller package) | 83130d95220bc2ede8645ea1ca4ce9afc4593196 |
| m6699.exe | 14ebbed449ccedac3610618b5265ff803243313d |
| SparkRAT | 2578efc12941ff481172dd4603b536a3bd322691 |
| C2 server network endpoint for ShellCode_Loader | 103.96.74[.]148:8899 |
| C2 server network endpoint for SparkRAT | 103.96.74[.]148[:]6688 |
| C2 server network endpoint for m6699.exe | 103.96.74[.]148:6699 |
| C2 server IP address for China Chopper | 104.233.163[.]190 |
| Staging URL for ShellCode_Loader | hxxp://211.149.237[.]108:801/py.exe |
| Staging URL for m6699.exe | hxxp://211.149.237[.]108:801/m6699.exe |
| Staging URL for SparkRAT | hxxp://43.129.227[.]159:81/c.exe |
| Staging URL for GotoHTTP | hxxp://13.213.41.125:9001/go.exe |
| Staging URL for ShellCode_Loader | hxxp://www.bingoplanet[.]com[.]tw/images/py.exe |
| Staging URL for ShellCode_Loader | hxxps://www.moongallery.com[.]tw/upload/py.exe |
| Staging URL for ShellCode_Loader | hxxp://www.holybaby.com[.]tw/api/ms.exe |