
Researchers have discovered that organizations in Taiwan, Hong Kong, Singapore, and China have been recently facing attacks from Chinese threat actor DragonSpark.
The threat actor was found to be using open-source tools such as SparkRAT, SharpToken, BadPotato, and GotoHTTP, for its attacks that use its multi-platform, feature-rich, and frequently updated with new features, making the remote access Trojan (RAT) attractive to threat actors.
DragonSpark was observed using Golang malware that interprets embedded GoLang source code at runtime as a technique for hindering static analysis and evading detection by static analysis mechanisms. The infrastructure for staging the payloads is in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses. The C2 servers are situated in Hong Kong and the US.
Initial indicators of attack
The initial indicators of the DragonSpark attacks were the compromised web servers, and MySQL database servers exposed to the internet.
Researchers observed the use of China Chopper web shell in the compromised servers, commonly used by Chinese threat actors. After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.
The threat actor was also seen using two custom-built malware for executing malicious code: Shellcode loader, implemented in Python and delivered as a PyPi package, and m6699.exe, implemented in Golang.
SparkRAT detailed out
SparkRAT is RAT and was developed by Chinese-speaking developer XZB-1248. It’s written in Golang and released as open-source software. It supports Windows, Linux, and macOS operating systems. It uses WebSocket protocol to communicate with the C2 server and features an upgrade system. This allows the RAT to automatically upgrade itself to the latest version available on the C2 server upon start-up by issuing an upgrade request.
DragonSpark also uses Golang-based m6699.exe, to interpret runtime encoded source code and launch a shellcode loader. This initial shellcode loader contacts the C2 server and executes the next-stage shellcode loader.
In September 2022, researchers observed the Zegost malware communicating with the same C2 server that is being used by DragonSpark. Zegost malware is an info-stealer historically attributed to Chinese cybercriminals and has also been observed as part of espionage campaigns. It was identified that Chinese cybercrime actor FinGhost was using Zegost malware and a variant of the sample used by DragonSpark.
This research was documented by researchers from SentinelOne
Indicators of compromise
- 83130d95220bc2ede8645ea1ca4ce9afc4593196
- 14ebbed449ccedac3610618b5265ff803243313d
- 2578efc12941ff481172dd4603b536a3bd322691
- 103.96.74[.]148:8899
- 103.96.74[.]148[:]6688
- 103.96.74[.]148:6699
- 104.233.163[.]190
- hxxp://211.149.237[.]108:801/py.exe
- hxxp://211.149.237[.]108:801/m6699.exe
- hxxp://43.129.227[.]159:81/c.exe
- hxxp://13.213.41.125:9001/go.exe
- hxxp://www.bingoplanet[.]com[.]tw/images/py.exe
- hxxps://www.moongallery.com[.]tw/upload/py.exe
- hxxp://www.holybaby.com[.]tw/api/ms.exe