DragonSpark

Analysts observed compromises of web servers and MySQL database servers exposed to the Internet as initial indicators of the DragonSpark attacks.

Exposing MySQL servers to the Internet is an infrastructure posture flaw that often leads to severe incidents that involve data breaches, credential theft, or lateral movement across networks.
At compromised web servers, Analysts observed use of the China Chopper webshell, recognizable by the &echo [S]&cd&echo [E] sequence in virtual terminal requests.
China Chopper is commonly used by Chinese threat actors, which are known to deploy the webshell through different vectors, such as exploiting web server vulnerabilities, cross-site scripting, or SQL injections.

After gaining access to environments, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure.
Analysts observed that the threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors.
This includes SparkRAT as well as other tools, such as:

SharpToken: a privilege escalation tool that enables the execution of Windows commands with SYSTEM privileges.
The tool also features enumerating user and process information, and adding, deleting, or changing the passwords of system users.
BadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution.
The tool has been observed in an attack campaign conducted by a Chinese threat actor with the goal of acquiring intelligence.
GotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.
In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang.
SparkRAT is a RAT developed in Golang and released as open source software by the Chinese-speaking developer XZB-1248.
SparkRAT is a feature-rich and multi-platform tool that supports the Windows, Linux, and macOS operating systems.

SparkRAT uses the WebSocket protocol to communicate with the C2 server and features an upgrade system.
This enables the RAT to automatically upgrade itself to the latest version available on the C2 server upon startup by issuing an upgrade request.
This is an HTTP POST request, with the commit query parameter storing the current version of the tool.

In the attacks Analysts observed, the version of SparkRAT was 6920f726d74efb7836a03d3acfc0f23af196765e, built on 1 November 2022 UTC.
This version supports 26 commands that implement a wide range of functionalities:

Command execution: including execution of arbitrary Windows system and PowerShell commands.
System manipulation: including system shutdown, restart, hibernation, and suspension.
File and process manipulation: including process termination as well as file upload, download, and deletion.
Information theft: including exfiltration of platform information (CPU, network, memory, disk, and system uptime information), screenshot theft, and process and file enumeration.

The Golang malware m6699.exe uses the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary, executing the code as if compiled.
This is a technique for hindering static analysis and evading detection by static analysis mechanisms.

The main purpose of m6699.exe is to execute a first-stage shellcode that implements a loader for a second-stage shellcode.

m6699.exe first decodes a Base-64 encoded string.
This string is Golang source code that conducts the following activities:

Declares a Main function as part of a Run package.
The run.Main function takes as a parameter a byte array – the first-stage shellcode.
The run.Main function invokes the HeapCreate function to allocate executable and growable heap memory (HEAP_CREATE_ENABLE_EXECUTE).
The run.Main function places the first-stage shellcode, supplied to it as a parameter when invoked, in the allocated memory and executes it.

The first-stage shellcode implements a shellcode loader.
The shellcode connects to a C2 server using the Windows Sockets 2 library and receives a 4-byte big value.
This value is the size of a second-stage shellcode for which the first-stage shellcode allocates memory of the received size.
The first-stage shellcode then receives from the C2 server the second-stage shellcode and executes it.

When m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.

ShellCode_Loader is the internal name of a PyInstaller-packaged malware that is implemented in Python.
ShellCode_Loader serves as the loader of a shellcode that implements a reverse shell.

ShellCode_Loader uses encoding and encryption to hinder static analysis.
The malware first Base-64 decodes and then decrypts the shellcode.
ShellCode_Loader uses the AES CBC encryption algorithm, and Base-64 encoded AES key and initialization vector for the decryption.

The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites.
Analysts also observed an Amazon Cloud EC2 instance as part of this infrastructure.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...

Threats Icon

Jan 24, 2023

Gamaredon Abuses Telegram To Target Ukrainian Government...

The Gamaredon APT group was discovered targeting Ukrainian government entities using the Telegram messaging service...