In a recent wave of cyberattacks, organizations in East Asia are increasingly falling victim to an advanced threat actor known as DragonSpark. This group is believed to be operating under the direction of a Chinese-speaking operator and employs sophisticated techniques to bypass traditional security measures.
According to an analysis by SentinelOne, the attacks are notable for their reliance on the little-known open-source tool SparkRAT, alongside a unique method of evading detection that involves the interpretation of Golang source code. This combination allows the malware to operate with reduced visibility, making it harder for security systems to identify malicious activity.
Central to the malware’s functionality is SparkRAT, which enables a wide range of operations including data exfiltration, system control, and the execution of additional commands via PowerShell. The exact objectives behind these intrusions remain somewhat speculative, though motivations likely include espionage and cybercrime, typical of state-sponsored activities.
DragonSpark’s association with Chinese cyber operations is further reinforced by its use of the China Chopper web shell, a common method among Chinese threat actors for delivering malware.
The open-source nature of the tools used raises additional concerns, as several were developed by entities tied to China and utilized for staging malware attacks from locations in Taiwan, Hong Kong, China, and Singapore, sometimes leveraging infrastructure connected to legitimate businesses. The command-and-control (C2) servers used in these operations are primarily based in Hong Kong and the United States, further complicating attribution efforts.
The initial access vector appears to involve breaching web servers exposed to the internet, specifically targeting MySQL database servers to implant the China Chopper web shell. Once a foothold is established, attackers are able to execute lateral movements and privilege escalation, deploying additional malware using tools such as SharpToken, BadPotato, and GotoHTTP.
Victims are also subjected to the installation of custom malware specialized in executing arbitrary code, with SparkRAT being central to data gathering and system manipulation. An additional noteworthy malware variant includes the Golang-based m6699.exe, which interprets its internal source code at runtime, enabling it to avoid detection. This component further adds complexity to the attack by launching a shellcode loader designed to reach out to the C2 servers for further instructions.
The analysis concludes that Chinese-speaking threat actors routinely employ open-source resources in their malicious operations. Given that SparkRAT is a versatile tool featuring continuous updates, it is likely to remain a focal point for cybercriminals and adversaries moving forward.
