According to researchers at SentinelLabs, a Chinese threat actor tracked as DragonSpark has been stealing sensitive data from compromised systems around East Asia. The main access vector for the threat group is vulnerable MySQL web servers and other endpoints which they access via deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities. After access is gained, the DragonSpark will then deploy SparkRAT, a open-source tool that can run on Windows, MacOS, and Linux. The tool supports 26 different commands that can be used to communicate with a Command and Control (C2) server that is set up by the threat actors. After SparkRAT is deployed, DragonSpark then uses a custom Golang interpreter, that is delivered via SparkRAT. The interpreter is known by the filename that attackers use for it, m6699[.]exe, and its hash (14ebbed449ccedac3610618b5265ff803243313d). Besides SparkRAT, ‘DragonSpark’ also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.
Analyst Notes
DragonSpark does not appear to have any notable ties to other Chinese based threat actors. Based on the attacks that the group is carrying out, especially in regards to the locations of the victims as well as the choice of tools primarily developed by Chinese authors, researchers are fairly certain that the group has ties to China. It highly recommended that companies that either have ties to Eastern Asia or do a lot of business in that region should ensure they are doing their best to secure MySQL databases as those are the main intrusion vector by the group.
https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-code-interpreter-to-evade-detection/
https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/
