DragonSpark threat actor avoids detection using Golang source code Interpretation

Chinese threat actor tracked as DragonSpark targets organizations in East Asia with a Golang malware to evade detection.

SentinelOne researchers spotted a Chinese-speaking actor, tracked as DragonSpark, that is targeting organizations in East Asia.

The attackers employed an open source tool SparkRAT along with Golang malware that implements an uncommon technique to evade detection.

“The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation.” reads the report published by SentineOne. “The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.”

SparkRAT is multi-platform malware that is frequently updated with new features.

The Golang malware employed in the attacks interprets embedded Golang source code at runtime as a technique for deceiving static analysis and evading detection by static analysis mechanisms. The experts pointed out that this is an uncommon technique.

The attack chain observed by SentinelOne starts with the compromise of web servers and MySQL database servers exposed to the Internet.

The experts noticed the presence of the China Chopper webshell, a hallmark of intelligence operations conducted by China-linked intelligence agencies.

Once gained access to the target network, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools.

The DragonSpark threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors, including SparkRAT, the privilege escalation tools SharpToken and BadPotato, and the cross-platform

Read more

Explore the site

More from the blog

Latest News