Threat Research

SparkRAT Being Distributed Within a Korean VPN Installer – ASEC BLOG

Securonix

ASEC reports SparkRAT was found distributed inside a VPN installer, indicating a supply-chain style compromise. The dropper creates SparkRAT in a local path, registers it for persistence, and enables remote control, information theft, and other malicious actions. #SparkRAT #DragonSpark #GoLang #AhnLab

Keypoints

  • SparkRAT was embedded in a VPN installer and distributed via the official website, suggesting a compromised legitimate service.
  • The dropper uses a .NET-based dropper that contains both the VPN installer and the malware in its resources.
  • The malware is registered in Task Scheduler to survive reboots, enabling persistence.
  • SparkRAT is a GoLang-based, open-source RAT capable of remote commands, file/process control, payload downloads, and screenshots.
  • The campaign shows cross-platform support (Windows, Linux, macOS) and Chinese language capability; the VPN is popular in China.
  • The x64 SparkRAT uses HTTPS for C2 while the x86 variant communicates over HTTP, enabling unencrypted traffic for the latter.

MITRE Techniques

  • [T1195] Supply Chain – The threat actor hacked a legitimate VPN service to distribute their malware. β€œ[It is suspected that the threat actor hacked a legitimate VPN service to distribute their malware.]”
  • [T1036] Masquerading – The malware created under the name β€œsvchost.exe” is also a dropper. β€œ[The malware created under the name β€œsvchost.exe” is also a dropper.]”
  • [T1053.005] Scheduled Task – It is registered in the task scheduler to ensure it will be executed even after system reboots. β€œ[registered in the task scheduler to ensure it will be executed even after system reboots.]”
  • [T1140] Deobfuscate/Decode Data – SparkRAT decrypts the configuration data and retrieves information such as the C&C address and port number from the initialization function, main.init(). β€œ[ SparkRAT decrypts the configuration data and retrieves information such as the C&C address and port number from the initialization function, main.init().]”
  • [T1071.001] Web Protocols – C2 addresses used by SparkRAT include domain and IP-based endpoints with HTTP/HTTPS; the x64 variant uses HTTPS and the x86 variant uses HTTP. β€œ[C&C – gwekekccef.webull[.]day:443: SparkRAT x64] and [59.22.167[.]217:34646: SparkRAT x86]”
  • [T1113] Screen Capture – SparkRAT can collect information such as taking screenshots. β€œ[collecting information from the infected system like by taking screenshots.]”
  • [T1059] Command and Scripting Interpreter – SparkRAT can execute commands remotely and control files and processes. β€œ[executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.]”
  • [T1105] Ingress Tool Transfer – SparkRAT downloads additional payloads after infection. β€œ[downloading additional payloads]”

Indicators of Compromise

  • [MD5] Malicious binaries – 2e3ce7d90d988e1b0bb7ffce1731b04b, b571d849c0cb3c7af1cee6990654972b and 5 more hashes
  • [File Name] Dropper and variants – svchost.exe, svh.exe
  • [File Path] Local drop location – %LOCALAPPDATA%Syservicessvchost.exe
  • [Domain] Command & Control – gwekekccef.webull[.]day
  • [IP] C2 address – 59.22.167[.]217:34646 (SparkRAT x86)

Read more: https://asec.ahnlab.com/en/52899/