Cybersecurity researchers have recently uncovered a surge in attacks leveraging SparkRAT, a cross-platform Remote Access Trojan (RAT) written in GoLang. Initially released as open-source on GitHub in 2022, SparkRAT has quickly gained popularity among cybercriminals due to its modular design and the ability to target multiple operating systems, including Windows, macOS, and Linux. Its versatility allows attackers to carry out over 20 different commands, including manipulating files, stealing sensitive data, capturing screenshots, and even performing system actions like shutting down or restarting a compromised device. Additionally, SparkRAT uses the WebSocket protocol to communicate with its command-and-control (C2) server, blending into legitimate network traffic to avoid detection.
SparkRAT’s self-updating feature is another key element of its functionality, allowing it to maintain persistence by sending HTTP POST requests to its repository. The default C2 server configuration listens on port 8000, though attackers often reconfigure this to suit their needs. Researchers at Hunt.io have identified unique HTTP response headers that can be used to detect SparkRAT servers, such as the absence of standard fields like Server and Content-Type, and the server’s typical response of “HTTP/1.1 401 Unauthorized.” These unique fingerprints can assist in spotting SparkRAT-related activities on infected systems.
The DragonSpark operation, attributed to Chinese-speaking threat actors, is one of the most notable campaigns involving SparkRAT. This campaign, which began targeting East Asian organizations in late 2022, employs sophisticated evasion techniques, including using the Yaegi framework to interpret GoLang source code at runtime. This approach enables attackers to bypass static analysis tools. DragonSpark attackers exploit vulnerabilities in exposed MySQL databases and web servers to deploy SparkRAT along with other tools like SharpToken and BadPotato for privilege escalation. The campaign also utilizes additional malware, such as m6699.exe and ShellCode Loader, to further their objectives.
In a separate incident observed in November 2024, hackers targeted macOS users with fake meeting pages to deliver SparkRAT payloads. These payloads were distributed via open directories on compromised servers in South Korea and Singapore. These directories contained malicious scripts that executed SparkRAT binaries with elevated permissions once accessed. Researchers have traced several IP addresses associated with these campaigns, including those from South Korea and Singapore. To defend against SparkRAT, experts recommend monitoring for unusual WebSocket traffic, using advanced endpoint detection solutions, regularly patching systems, and educating users about phishing tactics to reduce the risk of infection.
Reference:
A Threat Actor Using SparkRat is TAG-100:
The emergence of threat actor groups presents a significant challenge to organizations worldwide. Among these groups, TAG-100 has surfaced as a formidable player in global cyber-espionage campaigns, targeting high-profile government and private sector organizations across multiple continents. Recent reports from Recorded Future’s Insikt Group have detailed TAG-100’s sophisticated tactics, highlighting its reliance on open-source remote access tools and the exploitation of vulnerable internet-facing appliances to gain unauthorized access to sensitive networks.
TAG-100’s operations have not only focused on well-known enterprises but also on intergovernmental organizations in the Asia-Pacific region, revealing a breadth of ambition and capability. The group’s targeting strategy encompasses a wide array of sectors, including diplomatic entities, government ministries, semiconductor supply chains, and religious organizations. This extensive reach underscores the critical need for heightened vigilance among organizations that may be potential targets of espionage activities, particularly those involved in strategic sectors or international cooperation.
