Spotting SparkRAT: Detection Tactics & Sandbox Findings

Overview

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Today, we turn our attention to a particularly insidious malware called SparkRAT. This Remote Access Tool (RAT) has recently come under the spotlight for its use in sophisticated attacks attributed by industry leaders like Microsoft, SentinelOne, and AhnLab to coordinated threat actors.

Inside SparkRAT

Written in Golang and released on GitHub in 2022, SparkRAT quietly entered the scene with minimal initial recognition (outside some hacking forums). Despite the project ceasing updates in mid-2023, the RAT is very popular, evidenced by over 400 forks.

This ongoing interest suggests that modifications and expansions of SparkRAT could emerge in cybersecurity reports in the near future, reflecting its potential to cause havoc in networks.

SparkRAT supports all three major operating systems and uses WebSockets and HTTP(S) communication channels. It aligns with many capabilities typical of open-source remote access tools, including a GUI for controlling clients.

Figure 1: SparkRAT C2 check-in (Source: Hatching Triage)

As mentioned above, SparkRAT provides a user interface to track remote connections, issue commands, etc. By default, the server runs on port 8000. While not a definitive indicator, this default setting (when correlated with additional factors) may positively identify SparkRAT servers. Remember, red teamers and malicious actors are just as human as the rest of us, and defaults sometimes get the job done.

Unfortunately, the server at the IP address in Figure 1, 95.164.0[.]23, no longer responds to requests. Let’s download an instance of the RAT and see what the login page looks like in a lab environment.

Figure 2: Login dialog box for SparkRAT

The administrative functions of the RAT are accessed by username and password using basic HTTP authentication. Security issues with this form of authentication aside, navigating to a SparkRAT login produces the below HTTP response headers:

• HTTP/1.1 401 Unauthorized
• Www-Authenticate: Basic realm=Authorization Required
• Date
• Content-Length: 0

* I’ll leave it as an exercise for the reader, but you may find some interesting server responses when sending the HTTP request headers, as seen in Figure 1, to suspected C2s. As always, ensure you aren’t being a nuisance when conducting internet-wide scanning.

Common for basic HTTP authentication, the above response headers alone would generate massive results if used for identification purposes. However, when these headers are combined with the usage of the default port 8000, the scope of potential servers narrows significantly, making the dataset more manageable.

Even with a smaller dataset, we’ll need assistance identifying SparkRAT C2s. Resources such as Hatching Triage and VirusTotal are invaluable in this process, specifically tagging files communicating with suspicious IPs.

For example, we’ll look at the IP address documented in the traffic capture shown in Figure 1.

A Brief Look at The IP

Figure 3: Screenshot of SparkRAT C2 in Hunt

Located in Poland, 95.164.0[.]23 falls under the Stark Industries Solutions ASN, a netblock known for malicious activities. Focusing on such networks can significantly aid in hunting adversary infrastructure.

Additionally, considering server locations can provide context; for instance, a high concentration of servers in Asia is typical for Chinese-language C2 frameworks. It should be noted that the server's location can often depend on several factors (target locale, etc.).

Figure 4: VirustTotal screenshot of suspected SparkRAT IP

VirusTotal finds four files communicating with our suspect IP and a self-signed TLS certificate.

For those without premium access to VirusTotal, let’s look at one of the files in another sandbox, Hatching Triage.

SFX x2

The file we’ll look at today (MD5: 3261cbac9f0ad69dd805bfd875eb0161) is a self-extracting (SFX) archive. This archive includes a batch file and another password-protected SFX file that ultimately deploys and launches the SparkRAT client. The initial file details and signatures are illustrated in Figure 5 below.

Figure 5: File details of SparkRAT client (Source: Hatching Triage)

Figure 6 displays the outcomes of applying the command 'unrar t' to both SFX archives, illustrating the bundled files and password prompt.

Figure 6: Screenshot of ‘unrar t’ command results on both files

To conclude, we will revisit VirusTotal, as the sandbox results offer a wealth of information, including crowdsourced Sigma and IDS rules. This detailed data will be instrumental in substantiating our assumption that the IP address we’ve been looking at is indeed a SparkRAT command and control (C2) server.

Figure 7: VirusTotal screenshot of final SparkRAT payload

Conclusion

In this post, we've discussed various aspects of the SparkRAT framework, from its login mechanics to C2 communications. Our exploration included leveraging sandbox results to confirm our suspicions and identify an active controller in the wild.

SparkRAT is a freely available, multi-platform, feature-rich framework poised to remain a significant tool in the arsenals of cybercriminals and other threat actors. The Hunt Research Team will continue to monitor SparkRAT activities closely and work on enhancing our detections. We aim to share these advancements with our users soon, equipping them to better defend against such evolving threats.

We encourage you to apply for an account and discover how Hunt can enhance your defensive strategies against SparkRAT and similar threats.

File Indicators