A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.
The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.
SparkRAT in the wild
The threat actors access vulnerable MySQL and web server endpoints by deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities.
Next, the attackers deploy SparkRAT, a Golang-based open-source tool that can run on Windows, macOS, and Linux, offering feature-rich remote access functionality.
SparkRAT supports 26 commands received from the C2 to perform the following functions:
- Remotely execute PowerShell and Windows system commands.
- Manipulate Windows functions and force shutdown, restart, or suspension.
- Perform file actions like download, upload, or deletion.
- Steal system information or capture screenshots and exfiltrate them to the C2.
SparkRAT uses the WebSocket protocol to communicate with the C2 server, and can automatically upgrade itself, constantly adding new features.
SparkRAT upgrading itself automatically (SentinelLabs)
Besides SparkRAT, ‘DragonSpark’ also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.
Advantages of code interpretation
However, what makes the campaign stand out is the use of Golang source code iterpretation to execute code from Go scripts embedded in the malware binaries.
This Go script is used to open a reverse shell so that threat actors can connect to it using Metepreter for remote code execution.
A Meterpreter session (SentinelLabs)
This malware uses the Yaegi framework to interpret the embedded, base64-encoded source code stored within the compiled binary during runtime. This allows the code to execute without compiling it first to evade static analysis.
This technique is a rather complex but effective static analysis hindering technique, as most security software only evaluates the behavior of compiled code rather than source code.
Golang source code (Sentinel Labs)
Who is DragonSpark?
DragonSpark does not appear to have any notable overlaps with other Chinese-speaking hacking groups; hence, SentinelLabs assigned the cluster a new name.
Its operations were first spotted in September 2022, involving the Zegost malware, historically associated with Chinese espionage-focused APTs (advanced persistent threats).
The webshell DragonSpark planted onto compromised servers was ‘China Chopper,’ now commonly used by threat actors worldwide.
Also, all of the open-source tools used by DragonSpark were developed by Chinese authors, which strongly indicates that the threat actors have ties to the country.
DragonSpark used compromised networks in Taiwan, Hong Kong, China, and Singapore belonging to gambling-related companies, art galleries, travel agencies, and schools.