SentinelLabs cybersecurity researchers report that the Chinese-language group DragonSpark used an interpretation of the source code golangto avoid detection when conducting spy attacks against organizations in East Asia.

The attack vector for cybercriminals is vulnerable MySQL database servers available on the Internet. Attackers gain access to vulnerable MySQL and web server endpoints by deploying web shells through SQL injection, cross-site scripting, or web server vulnerabilities.

The attackers then deploy SparkRAT, an open source tool based on Golang that can run on Windows, macOS, linux and offers remote access features. SparkRAT supports 26 commands received from the C&C server (C2) to do the following:

• Remotely execute PowerShell and Windows system commands;
• Manage Windows features and force shutdown, restart or suspend processes;
• Downloading, uploading or deleting files;
• Collection of system and confidential information and its transfer to C&C;
• Capturing the screen and sending it to the attacker’s server;
• commit lateral movement.

SparkRAT uses the WebSocket protocol to communicate with the C&C server and can be automatically updated to add new features all the time.

In addition to SparkRAT, hackers also use the SharpToken and BadPotato tools to escalate privileges and the GotoHTTP tool to establish persistence on a compromised system.

Benefits of Code Interpretation

The campaign is different in that it uses interpretations of Golang source code (using the Yaegi tool) to execute code from Go scripts embedded in malware binaries. This allows you to run code without compiling it first to avoid static analysis.

This Go script is also used to open a Reverse Shell so that attackers can connect to it using Metepreter to execute code remotely. This method is quite complex but effective static analysis method because most security programs only evaluate the behavior of the compiled code, not the source code.

All of the open-source tools used by DragonSpark were developed by Chinese developers, indicating links between cybercriminals and the country. DragonSpark used compromised networks in Taiwan, Hong Kong, China and Singapore belonging to gambling companies, art galleries, travel agencies and schools.