Chinese Hackers deploy Golang Malware in DragonSpark Attacks to Evade Detection
Reading Time: 2 minutes

Chinese hackers deploy Golang Malware in DragonSpark attacks to evade detection and jump the security layers. 

According to SentinelOne, “The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation.”

The hackers are consistently using SparkRAT to conduct a variety of activities, for stealing information, obtaining control of an infected host, or running additional PowerShell instructions.

Although espionage or cybercrime is likely to be the motive behind these attacks their real intention is still unknown. The Chinese connection comes from DragonSpark’s use of the China Chopper web shell to deploy malware – a widely used attack pathway among Chinese threat actors.

In addition, not only are the open source tools used in the cyber attacks developed by developers or companies with links to China, but the infrastructure for staging the payloads is located in Taiwan, Hong Kong, China, and Singapore, some of which is owned by legitimate companies.

The cybersecurity firm also mentioned, the command-and-control (C2) servers, on the other hand, are situated in Hong Kong and the U.S.

In order to drop the China Chopper web shell, internet-exposure web servers and MySQL databases must be compromised. Open source tools such as SharpToken, BadPotato, and GotoHTTP are then used to perform lateral movement, privilege escalation, and malware deployment.

Custom malware that can run arbitrary code is also delivered to the hosts, as is SparkRAT, a cross-platform remote access trojan that can run system commands, manipulate files and processes, and steal data.

A Golang-based malware of note is m6699.exe, which interprets at runtime the source code within it in order to launch a shellcode loader for contacting the C2 server and fetching and executing the next-stage shellcode.

The researchers further added, “Chinese-speaking threat actors are known to frequently use open source software in malicious campaigns. Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future.”

Related Articles:
Facebook Latest Features for End-to-End Encrypted Messenger App
The Business Of Cybercrime: How It’s Evolved And The ‘Rules’ You Should Know
How to Protect Yourself Against Screen Hacking?