Organizations in East Asia are targeted by likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers.
Chinese hackers utilize malware and attacks are characterized by use of open source SparkRAT and malware which attempts to evade detection through a Golang source code interpretation.
A striking aspect of the intrusions is consistent use of SparkRAT for conducting a variety of activitieswhich include stealing information, obtaining control of an infected host, and running additional PowerShell instructions.
Espionage or cybercrime is likely to be a motive. DragonSpark’s associate with China stem with a use of the China Chopper web shell to deploy malware which is a widely used attack pathway .
Furthermore, open source tools which are used in the cyber assaults originate from developers or companies with have links to China, the infrastructure for staging the payloads which is located in Taiwan, Hong Kong, China, and Singapore and some of which are belong to legitimate businesses.
The command-and-control (C2) servers are situated in Hong Kong and the U.S.
Initial access avenues entail is compromising internet-exposed web servers and MySQL database servers to drop China Chopper web shell.
The foothold is leveraged to carry out lateral movement which privilege escalation and malware deployment using a open source tools .
It also delivered to hosts are custom malware capable of executing arbitrary code and SparkRAT which is a cross-platform remote access trojan that run system commands which manipulate files and processes and siphon information of interest.
Another malware of note is Golang-based m6699.exe that interprets at runtime source code contained within it to fly under the radar and launch shellcode loader that is engineered to contact C2 server for fetching and executing the next-stage shellcode.
SparkRAT is a multi-platform and feature-rich tool which is regularly updated with new features.