SentinelLabs Identifies New Group of Cybercriminals Using SparkRAT and Golang Source Code Malware to Evade Detection
SentinelLabs, the research division of SentinelOne, has discovered and analyzed the modus operandi of a new group of cybercriminals targeting companies in East Asia (Taiwan, Hong Kong, China and Singapore). Called DragonSpark, it uses a novel technique for interpreting Golang source code to evade detection, while deploying open source tools, such as SparkRAT.
DragonSpark, which carries out various malicious activities, such as lateral displacement, privilege escalation and malware deployment, relies on open-source tools developed by Chinese developers or vendors, including SparkRAT. Little known, this remote access Trojan, cross-platform and rich in features (executing commands, manipulating the system, manipulating files and processes, stealing information), supports Windows operating systems, Linux and macOS.
“Chinese speaking threat actors tend to often use open source software in their malicious campaigns. Little known, SparkRAT that we have observed in DragonSpark attacks is one of the newest. We believe that this RAT will remain very attractive to cybercriminals and other threat actors in the future,” confirmed SentinelLabs.
The group of cybercriminals also uses a new technique to hinder static analysis and evade detection: Golang source code interpretation.
According to SentinelLabs, which continues to actively monitor DragonSpark, it is very likely that the cybercriminals behind these attacks speak Chinese.