Cybersecurity researchers SentinelLabs report that the Chinese-speaking group DragonSpark used Golang source code interpretation to avoid detection when conducting spy attacks against organizations in East Asia.
The attack vector for cybercriminals is vulnerable MySQL database servers available on the Internet. Attackers gain access to vulnerable MySQL and web server endpoints by deploying web shells through SQL injection, cross-site scripting, or web server vulnerabilities.
The attackers then deploy SparkRAT, a Golang-based open source tool that can run on Windows, macOS, Linux and offers remote access features. SparkRAT supports 26 commands received from the C&C server (C2) to perform the following actions:
- Remotely execute PowerShell and Windows system commands;
- Manage Windows features and force shutdown, restart or suspend processes;
- Downloading, uploading or deleting files;
- Collection of system and confidential information and its transfer to C&C;
- Capturing the screen and sending it to the attacker's server;
- Make lateral movement.
SparkRAT uses the WebSocket protocol to communicate with the C&C server and can be automatically updated to add new features all the time.
In addition to SparkRAT, hackers also use the SharpToken and BadPotato tools to escalate privileges and the GotoHTTP tool to establish persistence on a compromised system.
The campaign is different in that it uses interpretations of Golang source code (using the Yaegi tool) to execute code from Go scripts embedded in malware binaries. This allows hackers to execute code without first compiling it to avoid static analysis.
This Go script is also used to open a Reverse Shell so that attackers can connect to it using Metepreter to execute code remotely. This method is quite complex but effective static analysis method because most security programs only evaluate the behavior of the compiled code, not the source code.
All of the open-source tools used by DragonSpark were developed by Chinese developers, indicating links between cybercriminals and the country. DragonSpark used compromised networks in Taiwan, Hong Kong, China and Singapore belonging to gambling companies, art galleries, travel agencies and schools.