DragonSpark threat actor avoids detection using Golang source code Interpretation

Chinese threat actor tracked as DragonSpark targets organizations in East Asia with a Golang malware to evade detection.

SentinelOne researchers spotted a Chinese-speaking actor, tracked as DragonSpark, that is targeting organizations in East Asia.

The attackers employed an open source tool SparkRAT along with Golang malware that implements an uncommon technique to evade detection.

“The threat actors use Golang malware that implements an uncommon technique for hindering static analysis and evading detection: Golang source code interpretation.” reads the report published by SentineOne. “The DragonSpark attacks leverage compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.”

SparkRAT is multi-platform malware that is frequently updated with new features.

The Golang malware employed in the attacks interprets embedded Golang source code at runtime as a technique for deceiving static analysis and evading detection by static analysis mechanisms. The experts pointed out that this is an uncommon technique.

The attack chain observed by SentinelOne starts with the compromise of web servers and MySQL database servers exposed to the Internet.

The experts noticed the presence of the China Chopper webshell, a hallmark of intelligence operations conducted by China-linked intelligence agencies.

Once gained access to the target network, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools.

The DragonSpark threat actor relies heavily on open source tools that are developed by Chinese-speaking developers or Chinese vendors, including SparkRAT, the privilege escalation tools SharpToken and BadPotato, and the cross-platform remote access tool GotoHTTP.

“In addition to the tools above, the threat actor used two custom-built malware for executing malicious code: ShellCode_Loader, implemented in Python and delivered as a PyInstaller package, and m6699.exe, implemented in Golang.” continues the report.

The infrastructure used by DragonSpark is located in Taiwan, Hong Kong, China, and Singapore, the C2 servers were located in Hong Kong and the United States.

The Golang-based m6699.exe avoid detection by using the Yaegi framework to interprete at runtime the source code contained within it.

The m6699.exe acts as a loader for a first-stage shellcode that implements a loader for a second-stage shellcode.

“Since SparkRAT is a multi-platform and feature-rich tool, and is regularly updated with new features, we estimate that the RAT will remain attractive to cybercriminals and other threat actors in the future.” concludes the report. “In addition, threat actors will almost certainly continue exploring techniques and specificalities of execution environments for evading detection and obfuscating malware, such as Golang source code interpretation that we document in this article.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, DragonSpark)

[adrotate banner=”5″]

[adrotate banner=”13″]