Malware, Threat Management, Identity

‘DragonSpark’ threat actor leverages open-source RAT, other Chinese-language tools

A toy Chinese dragon is seen at a festival

An unidentified group is using remote access tool SparkRAT, as well as other legitimate and malicious tools created by Chinese-speaking developers, to target internet-connected servers in East Asia, according to new research from Sentinel One.

Senior threat research Aleksandar Milenkoski told SC Media the campaign, which his team calls “DragonSpark,” is a cluster of activity that has not been connected to any previously known state or financially motivated hacking group thus far. It appears to focus on the use of SparkRAT, which researchers described as “a feature-rich and multi-platform tool” that can be used on Windows, Linux and Mac operating systems.

SparkRAT is written in Golang, a programming language increasingly used to build both legitimate tools and malware, and there is evidence that the same actors are also leveraging Golang-written malware in order to evade static detection and analysis techniques. The version observed by researchers appears to have been created on Nov. 1, 2022, and supports 26 different commands, including command execution, system manipulation, file and process manipulation and data exfiltration.

“When we combine all this, [SparkRAT] is a very feature-rich and multi-platform tool that they can re-use in different victim environments. We came to the conclusion that they probably adopted it because it’s very, very practical for them,” Milenkoski said.

The findings bolster evidence that the previously little-known open source tool is becoming more widely used by malicious hackers. In December, Microsoft claimed that threat actors were increasingly relying on SparkRAT, but it’s not clear if the actors behind DragonSpark were included in that assessment.

SparkRAT is one of numerous open-source tools used by DragonSpark that were developed by Chinese-speaking programmers or vendors, along with others like SharpToken and BadPotato (tools used to find and exploit access credentials in order to escalate privileges) and GoToHTTP, another remote access tool that can used by malicious actors to gain persistence within a victim network.

That tooling, and the fact that DragonSpark also uses China Chopper, a preferred webshell of many Chinese advanced persistent threat groups (APTs) and an overall focus on victims located in East Asia has led Sentinel One to assess that it is “highly likely” the actors behind the group are also Chinese speakers. Most of the evidence is based on technical indicators pulled from victim environments, the location of malware staging infrastructure throughout East Asia (a common choice for Chinese cybercriminal groups) and a number of overlaps between tools or servers used by DragonSpark and other Chinese-speaking threat groups.

However, the company is not tying the activity to Beijing or any known state-sponsored APT, and Milenkoski told SC Media that the evidence they’ve collected thus far does not provide any clear indicators whether the ultimate goal behind the intrusions is financial, espionage-related or both.

While such evidence can often indicate the regional or language preferences of a particular threat actor, it is not unheard of for one hacking group to use the preferred tools of another as a way of masking their identity, so researchers are being cautious when it comes to drawing too strong of a conclusion around attribution.   

“We were very careful with that, we use the term ‘Chinese-speaking intentionally due to many reasons,” Milenkoski said.

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.