Chinese-backed DragonSpark hackers evade detection with SparkRAT, Golang source code interpretation

SentinelLabs disclosed on Tuesday that it had been monitoring recent attacks against East Asian organizations, tracked as DragonSpark, which is highly likely to be backed by a Chinese-speaking actor. The attacks are characterized by using the little-known open-source SparkRAT and malware that attempts to evade detection through Golang source code interpretation. 

“The DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware. The C2 servers were located in Hong Kong and the United States,” SentinelLabs researchers wrote in a company blog post. “The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites. We also observed an Amazon Cloud EC2 instance as part of this infrastructure,” they added.

Researchers assess that it is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks, using Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation. The attacks provide evidence that Chinese-speaking threat actors are adopting SparkRAT and leveraging compromised infrastructure in China and Taiwan to stage SparkRAT and other tools and malware.

“The DragonSpark attacks represent the first concrete malicious activity where we observe the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape,” according to the researchers. “SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.”

The Microsoft Security Threat Intelligence team reported in late December 2022 on indications of threat actors using SparkRAT. “However, we have not observed concrete evidence linking DragonSpark to the activity documented in the report by Microsoft,” the researchers added.

SentinelLabs observed that the hacker group behind the DragonSpark attacks uses Golang malware that interprets embedded Golang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. “This uncommon technique provides threat actors with yet another means to evade detection mechanisms by obfuscating malware implementations.”

SentinelLabs researchers observed compromises of web servers and MySQL database servers exposed to the Internet as initial indicators of the DragonSpark attacks. They added that exposing MySQL servers to the Internet is an infrastructure posture flaw that often leads to severe incidents that involve data breaches, credential theft, or lateral movement across networks. 

“At compromised web servers, we observed use of the China Chopper webshell, recognizable by the ‘&echo [S]&cd&echo [E]’ sequence in virtual terminal requests,” the post added. “China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections.”

After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure, the researchers said. “We observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors.”

SentinelLabs researchers assess that the hacker may have espionage or cybercrime motivations. “In September 2022, a few weeks before we first spotted DragonSpark indicators, a sample of Zegost malware (bdf792c8250191bd2f5c167c8dbea5f7a63fa3b4) – an info-stealer historically attributed to Chinese cybercriminals, but also observed as part of espionage campaigns  – was reported communicating with 104.233.163[dot]190. We observed this same C2 IP address as part of the DragonSpark attacks. Previous research by the Weibu Intelligence Agency (微步情报局) reported that Chinese cybercrime actor FinGhost was using Zegost,” they added.

The team also added that the hacker behind DragonSpark used the China Chopper webshell to deploy malware. China Chopper has historically been consistently used by Chinese cyber criminals and espionage groups, such as the TG-3390 and Leviathan. Further, all of the open-source tools used by the threat actor conducting DragonSpark attacks are developed by Chinese-speaking developers or Chinese vendors. This includes SparkRAT by XZB-1248, SharpToken and BadPotato by BeichenDream, and GotoHTTP by Pingbo Inc.

SentinelLabs said that the malware staging infrastructure is located exclusively in East Asia (Taiwan, Hong Kong, China, and Singapore) behavior which is common amongst Chinese-speaking threat actors targeting victims in the region. “This evidence is consistent with our assessment that the DragonSpark attacks are highly likely orchestrated by a Chinese-speaking threat actor,” it added.

SentinelLabs continues to monitor the DragonSpark cluster of activities and hopes that defenders will leverage the findings presented in this article to bolster their defenses, it added.

Last month, SentinelLabs disclosed that the Vice Society group adopted a new custom-branded ransomware payload in recent intrusions, dubbed ‘PolyVice,’ which implements an encryption scheme, using NTRUEncrypt and ChaCha20-Poly1305 algorithms. It is also likely that the group behind the custom-branded ransomware for Vice Society is also selling similar payloads to other groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.