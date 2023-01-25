



Unidentified group uses remote access tool SparkRAT, along with other legitimate and malicious tools created by Chinese-language developers, to target Internet-connected servers in East Asia, new research finds by Sentinel One. Senior threat researcher Aleksandar Milenkoski told SC Media that the campaign, which his team calls DragonSpark, is a cluster of activities that has so far not been connected to any known state or motivational hacking group. financial. It appears to focus on using SparkRAT, which the researchers described as a feature-rich, cross-platform tool that can be used on Windows, Linux, and Mac operating systems. SparkRAT is written in Golang, a programming language increasingly used to create both legitimate tools and malware, and there is evidence that the same actors also exploit malware written in Golang to evade techniques. static detection and analysis. The version observed by the researchers appears to have been created on November 1, 2022 and supports 26 different commands, including command execution, system manipulation, file and process manipulation, and data exfiltration. When we combine all of this, [SparkRAT] is a very feature-rich and cross-platform tool that they can reuse in different victim environments. We came to the conclusion that they probably adopted it because it’s very, very convenient for them,” Milenkoski said. The findings bolster evidence that the previously little-known open-source tool is increasingly being used by malicious hackers. In December, Microsoft claimed that threat actors are increasingly relying on SparkRAT, but it’s unclear if the actors behind DragonSpark were included in this assessment. SparkRAT is one of many open-source tools used by DragonSpark that have been developed by Chinese-language programmers or vendors, along with others like SharpToken and BadPotato (tools used to find and mine user credentials). access in order to elevate privileges) and GoToHTTP, another remote access tool that can be used by malicious actors to gain persistence within a victimized network. This tool, and the fact that DragonSpark also uses China Chopper, a webshell preferred by many Chinese Advanced Persistent Threat (APT) groups, and an overall focus on victims located in East Asia has led sentry one to assess that it is highly likely that the actors behind the group are also Chinese speakers. Most of the evidence is based on technical indicators drawn from victim environments, the location of malware preparation infrastructure throughout East Asia (a common choice for Chinese cybercriminal groups), and some number of overlaps between tools or servers used by DragonSpark and other Chinese-speaking threats. groups. However, the company does not link the activity to Beijing or any known state-sponsored APT, and Milenkoski told SC Media that the evidence they have collected so far provides no clear indicator whether the purpose ultimate behind the intrusions is financial, related to espionage. or both. While such evidence can often indicate a particular threat actor’s regional or language preferences, it’s not uncommon for one hacker group to use another’s preferred tools to disguise their identity. Researchers are therefore cautious about jumping too hard on a conclusion around attribution. We were very careful with that, we use the Chinese term intentionally for many reasons, Milenkoski said.

