Organizations in East Asia are being targeted by a likely Chinese-speaking actor dubbed DragonSpark while employing uncommon tactics to go past security layers.
“The attacks are characterized by the use of the little known open source SparkRAT and malware that attempts to evade detection through Golang source code interpretation,” SentinelOne said in an analysis published today.
A striking aspect of the intrusions is the consistent use of SparkRAT to conduct a variety of activities, including stealing information, obtaining control of an infected host, or running additional PowerShell instructions.
The threat actor’s end goals remain unknown as yet, although espionage or cybercrime is likely to be the motive. DragonSpark’s ties to China stem from the use of the China Chopper web shell to deploy malware – a widely used attack pathway among Chinese threat actors.
Furthermore, not only do the open source tools used in the cyber assaults originate from developers or companies with links to China, the infrastructure for staging the payloads is located in Taiwan, Hong Kong, China, and Singapore, some of which belong to legitimate businesses.
images from Hacker News