Hackers use Golang source code interpreter to evade detection


A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.

The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.

The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.

SparkRAT in the wild

The threat actors access vulnerable MySQL and web server endpoints by deploying webshells through SQL injection, cross-site scripting, or web server vulnerabilities.

Next, the attackers deploy SparkRAT, a Golang-based open-source tool that can run on Windows, macOS, and Linux, offering feature-rich remote access functionality.

SparkRAT supports 26 commands received from the C2 to perform the following functions:

  • Remotely execute PowerShell and Windows system commands.
  • Manipulate Windows functions and force shutdown, restart, or suspension.
  • Perform file actions like download, upload, or deletion.
  • Steal system information or capture screenshots and exfiltrate them to the C2.

SparkRAT uses the WebSocket protocol to communicate with the C2 server, and can automatically upgrade itself, constantly adding new features.

SparkRAT upgrading itself automatically
SparkRAT upgrading itself automatically (SentinelLabs)

Besides SparkRAT, ‘DragonSpark’ also uses the SharpToken and BadPotato tools for privilege escalation and the GotoHTTP tool for establishing persistence on the breached system.

Advantages of code interpretation

However, what makes the campaign stand out is the use of Golang source code iterpretation to execute code from Go scripts embedded in the malware binaries. 

This Go script is used to open a reverse shell so that threat actors can connect to it using Metepreter for remote code execution.

A Meterpreter session
A Meterpreter session (SentinelLabs)

This malware uses the Yaegi framework to interpret the embedded, base64-encoded source code stored within the compiled binary during runtime. This allows the code to execute without compiling it first to evade static analysis.

This technique is a rather complex but effective static analysis hindering technique, as most security software only evaluates the behavior of compiled code rather than source code.

Golang source code
Golang source code (Sentinel Labs)

Who is DragonSpark?

DragonSpark does not appear to have any notable overlaps with other Chinese-speaking hacking groups; hence, SentinelLabs assigned the cluster a new name.

Its operations were first spotted in September 2022, involving the Zegost malware, historically associated with Chinese espionage-focused APTs (advanced persistent threats).

The webshell DragonSpark planted onto compromised servers was ‘China Chopper,’ now commonly used by threat actors worldwide.

Also, all of the open-source tools used by DragonSpark were developed by Chinese authors, which strongly indicates that the threat actors have ties to the country.

DragonSpark used compromised networks in Taiwan, Hong Kong, China, and Singapore belonging to gambling-related companies, art galleries, travel agencies, and schools.

Original Source

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

Digital Patreon Wordmark FieryCoralv2

To keep up to date follow us on the below channels.

Click Above for Telegram
Click Above for Discord
Click Above for Reddit
hd linkedin
Click Above For LinkedIn