DragonSpark Threat Actor Leverages Open Source RAT

An unidentified group is using remote access tool SparkRAT, as well as other legitimate and malicious tools created by Chinese-speaking developers, to target internet-connected servers in East Asia, according to new research from Sentinel One.

Senior threat research Aleksandar Milenkoski told SC Media the campaign, which his team calls “DragonSpark,” is a cluster of activity that has not been connected to any previously known state or financially motivated hacking group thus far. It appears to focus on the use of SparkRAT, which researchers described as “a feature-rich and multi-platform tool” that can be used on Windows, Linux and Mac operating systems.

SparkRAT is written in Golang, a programming language increasingly used to build both legitimate tools and malware, and there is evidence that the same actors are also leveraging Golang-written malware in order to evade static detection and analysis techniques. The version observed by researchers appears to have been created on Nov. 1, 2022, and supports 26 different commands, including command execution, system manipulation, file and process manipulation and data exfiltration.

“When we combine all this, [SparkRAT] is a very feature-rich and multi-platform tool that they can re-use in different victim environments. We came to the conclusion that they probably adopted it because it’s very, very practical for them,” Milenkoski said.

The findings bolster evidence that the previously little-known open source tool is becoming more widely used by malicious hackers. In December, Microsoft claimed that threat actors were increasingly relying on SparkRAT, but it’s not clear if

Read more

Explore the site

More from the blog

Latest News