Cybersecurity experts at SentinelLabs have discovered a new Chinese-speaking hacking group known as "DragonSpark" that is using Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The group relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.

Vulnerable Infrastructure

The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable to MySQL database servers exposed online. The group accesses these servers by deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities.

SparkRAT: A Feature-Rich Remote Access Tool

Once inside, the attackers deploy SparkRAT, a Golang-based open-source tool that can run on Windows, macOS, and Linux. SparkRAT offers a wide range of features that allow attackers to remotely execute PowerShell and Windows system commands, manipulate Windows functions, and perform file actions such as downloading, uploading, or deletion. Additionally, it can steal system information or capture screenshots and exfiltrate them to the command and control (C2) server. The tool uses the WebSocket protocol to communicate with the C2 server and can automatically upgrade itself, constantly adding new features.

Other Tools Used by DragonSpark

Besides SparkRAT, DragonSpark also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.

Golang Source Code Interpretation: A Complex but Effective Technique

However, what makes the campaign stand out is the use of Golang source code interpretation to execute code from Go scripts embedded in the malware binaries. This Go script opens a reverse shell so that threat actors can connect to it using Metepreter for remote code execution. This technique is a rather complex but compelling static analysis hindering technique, as most security software only evaluates the behavior of compiled code rather than source code.

DragonSpark: A New Chinese-Speaking Hacking Group

DragonSpark does not appear to have any notable overlaps with other Chinese-speaking hacking groups; hence, SentinelLabs assigned the cluster a new name. Its operations were first spotted in September 2022, involving the Zegost malware, historically associated with Chinese espionage-focused APTs (advanced persistent threats). The webshell DragonSpark planted onto compromised servers was "China Chopper," now commonly used by threat actors worldwide. Also, all of the open-source tools used by DragonSpark were developed by Chinese authors, which strongly indicates that the threat actors have ties to the country. DragonSpark used compromised networks in Taiwan, Hong Kong, China, and Singapore belonging to gambling-related companies, art galleries, travel agencies, and schools.

Here Golang source code interpretation is leveraged by DragonSpark is a new technique that poses a significant threat to organizations in East Asia. The group's use of a feature-rich remote access tool like SparkRAT, along with other tools for privilege escalation and persistence, makes them a formidable threat. Organizations should be aware of this group and take appropriate measures to protect their networks, such as regularly patching vulnerabilities, monitoring for unusual activity, and implementing proper incident response plans.