SentinelLabs tracks DragonSpark, a cluster of opportunistic East Asia–targeted attacks that leverage the SparkRAT open-source RAT and Golang-based runtime source-code interpretation to evade static analysis. The activity is attributed with high likelihood to a Chinese-speaking threat actor, who also uses compromised East Asian infrastructure to stage tools and malware.
Keypoints
- DragonSpark is an East Asia–focused campaign observed by SentinelLabs, leveraging SparkRAT and Golang-based evasion techniques.
- Attribution suggests a Chinese-speaking actor behind DragonSpark, with infrastructure and tooling tied to Chinese developers/vendors.
- SparkRAT is used as a multi-platform RAT with a WebSocket C2 channel and an auto-upgrade capability.
- The attackers target exposed web servers and MySQL instances, using China Chopper as a webshell to gain initial access.
- Decentralized tooling includes SharpToken, BadPotato, and GotoHTTP, alongside custom malware ShellCode_Loader (Python) and m6699.exe (Golang).
- Golang source-code interpretation (Yaegi) is used to run embedded Go source at runtime, hindering static analysis and enabling a staged loader with Meterpreter sessions.
- DragonSpark infrastructure spans Taiwan, Hong Kong, China, and Singapore, with C2s located in Hong Kong and the United States and staging assets across multiple East Asian targets.
MITRE Techniques
- [T1505.003] Web Shell – Using China Chopper to gain initial access on exposed web servers and MySQL servers; “China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections.”
- [T1071.001] Web Protocols – SparkRAT communicates with the C2 server using WebSocket, enabling control and upgrades via the C2 channel; “SparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system.”
- [T1059.003] Command and Scripting Interpreter – SparkRAT commands include “execution of arbitrary Windows system and PowerShell commands.”
- [T1059.001] PowerShell – Sub-technique indicating PowerShell command execution within SparkRAT’s capabilities; “execution of arbitrary Windows system and PowerShell commands.”
- [T1055] Process Injection – ShellCode_Loader and in-memory shellcode execution involve loading and running code within memory; “the malware loads the shellcode in memory and starts a new thread that executes the shellcode.”
- [T1105] Ingress Tool Transfer – The shellcode loader and second-stage payload transfer from C2 to the compromised host; “The first-stage shellcode … receives the second-stage shellcode and executes it.”
- [T1027.001] Obfuscated/Compressed Files and Information – ShellCode_Loader encodes/ encrypts shellcode to hinder static analysis; “Base-64 decoded and then decrypts the shellcode. The AES CBC encryption algorithm…”
Indicators of Compromise
- [Hash] ShellCode_Loader – 83130d95220bc2ede8645ea1ca4ce9afc4593196, 14ebbed449ccedac3610618b5265ff803243313d, and 1 more hash
- [Hash] m6699.exe – 14ebbed449ccedac3610618b5265ff803243313d
- [Hash] SparkRAT – 2578efc12941ff481172dd4603b536a3bd322691
- [IP] C2 endpoint (ShellCode_Loader) – 103.96.74.148:8899
- [IP] C2 endpoint (SparkRAT) – 103.96.74.148:6688
- [IP] C2 endpoint (m6699.exe) – 103.96.74.148:6699
- [IP] China Chopper C2 – 104.233.163.190
- [URL] ShellCode_Loader staging – hxxp://211.149.237.108:801/py.exe
- [URL] ShellCode_Loader staging – hxxp://211.149.237.108:801/m6699.exe
- [URL] SparkRAT staging – hxxp://43.129.227.159:81/c.exe
- [URL] GotoHTTP staging – hxxp://13.213.41.125:9001/go.exe
- [URL] ShellCode_Loader staging – hxxp://www.bingoplanet.tw/images/py.exe
- [URL] ShellCode_Loader staging – hxxps://www.moongallery.com.tw/upload/py.exe
- [URL] ShellCode_Loader staging – hxxp://www.holybaby.com.tw/api/ms.exe