Chinese Hackers Utilize Golang Malware in DragonSpark Attacks to Evade Detection

24 January 2023Ravie LakshmananCyber ​​espionage / Golang

Golang Malware in DragonSpark Attacks

Organizations in East Asia are being targeted by a likely Chinese-speaking actor who has been baptized DragonSpark while using uncommon tactics to bypass security layers.

“The attacks are characterized by the use of the little-known open source SparkRAT and malware that tries to avoid detection through Golang source code interpretation,” SentinelOne said in an analysis published today.

A striking aspect of the intrusion is the consistent use of SparkRAT to perform a variety of activities, including stealing information, gaining control of an infected host, or running additional PowerShell instructions.

The threat actor’s ultimate goals are still unknown, although espionage or cybercrime is likely to be the motive. DragonSpark’s ties to China stem from its use of the China Chopper web shell to deploy malware – a widely used attack path among Chinese threat actors.

Furthermore, not only do the open source tools used in the cyber attacks originate from developers or companies with links to China, the structure to stage the payloads is located in Taiwan, Hong Kong, China and Singapore, some of which belong to legitimate companies.

The command-and-control (C2) servers, on the other hand, are located in Hong Kong and the United States, the cybersecurity firm said.

Golang Malware

Initial entry routes involve compromising Internet-exposed web servers and MySQL database servers to drop the China Chopper web shell. The foothold is then exploited to perform lateral movement, privilege escalation, and malware deployment using open source tools such as SharpToken, BadPotato, and GotoHTTP.

Also delivered to the hosts are custom malware capable of executing arbitrary code and SparkRAT, a cross-platform remote access Trojan that can run system commands, manipulate files and processes, and siphon information of interest.

Another important malware is the Golang-based m6699.exe, which at runtime interprets the source code contained within it so that it flies under the radar and launches a shellcode loader designed to contact the C2 server to retrieve and perform the next step shell code.

“Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns,” the researchers concluded.

“Since SparkRAT is a multi-platform and feature-rich tool and is continuously updated with new features, we believe that RAT will remain attractive to cybercriminals and other threat actors in the future.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Leave a Reply

Your email address will not be published. Required fields are marked *