DragonSpark: Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation
January 2023 by SentinelOne
SentinelLabs has been monitoring recent attacks against East Asian organisations from a group tracked as ‘DragonSpark’. The attacks are characterised by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.
The DragonSpark attacks represent the first concrete malicious activity where SentinelLabs observed the consistent use of the open source SparkRAT, a relatively new occurrence on the threat landscape. SparkRAT is multi-platform, feature-rich, and frequently updated with new features, making the RAT attractive to threat actors.
The Microsoft Security Threat Intelligence team reported in late December 2022 on indications of threat actors using SparkRAT. However, no concrete evidence linking DragonSpark to the activity documented in the report by Microsoft has been observed.
The DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware. The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organisations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites.
SentinelLabs also observed an Amazon Cloud EC2 instance as part of this infrastructure.
Key findings:
• SentinelLabs tracked a cluster of recent opportunistic attacks against organisations in East Asia as DragonSpark
• It is highly likely that a Chinese-speaking actor is behind the DragonSpark attacks
• The attacks provide evidence that Chinese-speaking threat actors are adopting the little known open source tool SparkRAT
• The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation
• The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware
Conclusion:
SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features. Consequently, it’s anticipated that the RAT will remain attractive to cybercriminals and other threat actors in the future.
In addition, threat actors will almost certainly continue exploring techniques and specificalities of execution environments for evading detection and obfuscating malware, such as Golang source code interpretation identified in SentinelLabs’ research.