Spotting SparkRAT: Detection Tactics & Sandbox Findings

Spotting SparkRAT: Detection Tactics & Sandbox Findings

Published on

Published on

Published on

Apr 23, 2024

Apr 23, 2024

Apr 23, 2024

Spotting SparkRAT: Detection Tactics & Sandbox Findings
Spotting SparkRAT: Detection Tactics & Sandbox Findings
Spotting SparkRAT: Detection Tactics & Sandbox Findings
TABLE OF CONTENTS

Overview

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Today, we turn our attention to a particularly insidious malware called SparkRAT. This Remote Access Tool (RAT) has recently come under the spotlight for its use in sophisticated attacks attributed by industry leaders like Microsoft, SentinelOne, and AhnLab to coordinated threat actors.

Inside SparkRAT

Written in Golang and released on GitHub in 2022, SparkRAT quietly entered the scene with minimal initial recognition (outside some hacking forums). Despite the project ceasing updates in mid-2023, the RAT is very popular, evidenced by over 400 forks.

This ongoing interest suggests that modifications and expansions of SparkRAT could emerge in cybersecurity reports in the near future, reflecting its potential to cause havoc in networks.

SparkRAT supports all three major operating systems and uses WebSockets and HTTP(S) communication channels. It aligns with many capabilities typical of open-source remote access tools, including a GUI for controlling clients.

httpshuntioimagesblogsspotting-sparkratfig-1webp
Figure 1: SparkRAT C2 check-in (Source: Hatching Triage)

As mentioned above, SparkRAT provides a user interface to track remote connections, issue commands, etc. By default, the server runs on port 8000. While not a definitive indicator, this default setting (when correlated with additional factors) may positively identify SparkRAT servers. Remember, red teamers and malicious actors are just as human as the rest of us, and defaults sometimes get the job done.

Unfortunately, the server at the IP address in Figure 1, 95.164.0[.]23, no longer responds to requests. Let's download an instance of the RAT and see what the login page looks like in a lab environment.

httpshuntioimagesblogsspotting-sparkratfig-2webp
Figure 2: Login dialog box for SparkRAT

The administrative functions of the RAT are accessed by username and password using basic HTTP authentication. Security issues with this form of authentication aside, navigating to a SparkRAT login produces the below HTTP response headers:

  • HTTP/1.1 401 Unauthorized
  • Www-Authenticate: Basic realm=Authorization Required
  • Date
  • Content-Length: 0
  • I'll leave it as an exercise for the reader, but you may find some interesting server responses when sending the HTTP request headers, as seen in Figure 1, to suspected C2s. As always, ensure you aren't being a nuisance when conducting internet-wide scanning.

Common for basic HTTP authentication, the above response headers alone would generate massive results if used for identification purposes. However, when these headers are combined with the usage of the default port 8000, the scope of potential servers narrows significantly, making the dataset more manageable.

Even with a smaller dataset, we'll need assistance identifying SparkRAT C2s. Resources such as Hatching Triage and VirusTotal are invaluable in this process, specifically tagging files communicating with suspicious IPs.

For example, we'll look at the IP address documented in the traffic capture shown in Figure 1.

A Brief Look at The IP

httpshuntioimagesblogsspotting-sparkratfig-3webp
Figure 3: Screenshot of SparkRAT C2 in Hunt

Located in Poland, 95.164.0[.]23 falls under the Stark Industries Solutions ASN, a netblock known for malicious activities. Focusing on such networks can significantly aid in hunting adversary infrastructure.

Additionally, considering server locations can provide context; for instance, a high concentration of servers in Asia is typical for Chinese-language C2 frameworks. It should be noted that the server's location can often depend on several factors (target locale, etc.).

httpshuntioimagesblogsspotting-sparkratfig-4webp
Figure 4: VirustTotal screenshot of suspected SparkRAT IP

VirusTotal finds four files communicating with our suspect IP and a self-signed TLS certificate.

For those without premium access to VirusTotal, let's look at one of the files in another sandbox, Hatching Triage.

SFX x2

The file we'll look at today (MD5: 3261cbac9f0ad69dd805bfd875eb0161) is a self-extracting (SFX) archive. This archive includes a batch file and another password-protected SFX file that ultimately deploys and launches the SparkRAT client. The initial file details and signatures are illustrated in Figure 5 below.

httpshuntioimagesblogsspotting-sparkratfig-5webp
Figure 5: File details of SparkRAT client (Source: Hatching Triage)

Figure 6 displays the outcomes of applying the command 'unrar t' to both SFX archives, illustrating the bundled files and password prompt.

httpshuntioimagesblogsspotting-sparkratfig-6webp
Figure 6: Screenshot of 'unrar t' command results on both files

To conclude, we will revisit VirusTotal, as the sandbox results offer a wealth of information, including crowdsourced Sigma and IDS rules. This detailed data will be instrumental in substantiating our assumption that the IP address we've been looking at is indeed a SparkRAT command and control (C2) server .

httpshuntioimagesblogsspotting-sparkratfig-7webp
Figure 7: VirusTotal screenshot of final SparkRAT payload

Conclusion

In this post, we've discussed various aspects of the SparkRAT framework, from its login mechanics to C2 communications. Our exploration included leveraging sandbox results to confirm our suspicions and identify an active controller in the wild.

SparkRAT is a freely available, multi-platform, feature-rich framework poised to remain a significant tool in the arsenals of cybercriminals and other threat actors. The Hunt Research Team will continue to monitor SparkRAT activities closely and work on enhancing our detections. We aim to share these advancements with our users soon, equipping them to better defend against such evolving threats.

We encourage you to apply for an account and discover how Hunt can enhance your defensive strategies against SparkRAT and similar threats.

File Indicators

FilenameSHA1
3261cbac9f0ad69dd805bfd875eb0161.exe3471247cffded4259b12593cce644c7c9470a4d2
1.bat316fa09f467ba90ac34a054daf2e92e6e2854ff8
work.exe4d30a84eda510596e528a7adbac23148618d5a62
iox.exe0095c9d4bc45fed4080e72bd46876efd
hesf.exe8f2df5c6cec499f65168fae5318dc572
TABLE OF CONTENTS

Overview

The Hunt Research Team vigilantly monitors GitHub, sifts through the IOC sections of threat intelligence reports, and scours various online forums for emerging threats, ensuring our detections stay practical and current for our customers. Our focus frequently turns to lesser-known threats that can still wreak havoc on the networks of uninformed defenders.

Today, we turn our attention to a particularly insidious malware called SparkRAT. This Remote Access Tool (RAT) has recently come under the spotlight for its use in sophisticated attacks attributed by industry leaders like Microsoft, SentinelOne, and AhnLab to coordinated threat actors.

Inside SparkRAT

Written in Golang and released on GitHub in 2022, SparkRAT quietly entered the scene with minimal initial recognition (outside some hacking forums). Despite the project ceasing updates in mid-2023, the RAT is very popular, evidenced by over 400 forks.

This ongoing interest suggests that modifications and expansions of SparkRAT could emerge in cybersecurity reports in the near future, reflecting its potential to cause havoc in networks.

SparkRAT supports all three major operating systems and uses WebSockets and HTTP(S) communication channels. It aligns with many capabilities typical of open-source remote access tools, including a GUI for controlling clients.

httpshuntioimagesblogsspotting-sparkratfig-1webp
Figure 1: SparkRAT C2 check-in (Source: Hatching Triage)

As mentioned above, SparkRAT provides a user interface to track remote connections, issue commands, etc. By default, the server runs on port 8000. While not a definitive indicator, this default setting (when correlated with additional factors) may positively identify SparkRAT servers. Remember, red teamers and malicious actors are just as human as the rest of us, and defaults sometimes get the job done.

Unfortunately, the server at the IP address in Figure 1, 95.164.0[.]23, no longer responds to requests. Let's download an instance of the RAT and see what the login page looks like in a lab environment.

httpshuntioimagesblogsspotting-sparkratfig-2webp
Figure 2: Login dialog box for SparkRAT

The administrative functions of the RAT are accessed by username and password using basic HTTP authentication. Security issues with this form of authentication aside, navigating to a SparkRAT login produces the below HTTP response headers:

  • HTTP/1.1 401 Unauthorized
  • Www-Authenticate: Basic realm=Authorization Required
  • Date
  • Content-Length: 0
  • I'll leave it as an exercise for the reader, but you may find some interesting server responses when sending the HTTP request headers, as seen in Figure 1, to suspected C2s. As always, ensure you aren't being a nuisance when conducting internet-wide scanning.

Common for basic HTTP authentication, the above response headers alone would generate massive results if used for identification purposes. However, when these headers are combined with the usage of the default port 8000, the scope of potential servers narrows significantly, making the dataset more manageable.

Even with a smaller dataset, we'll need assistance identifying SparkRAT C2s. Resources such as Hatching Triage and VirusTotal are invaluable in this process, specifically tagging files communicating with suspicious IPs.

For example, we'll look at the IP address documented in the traffic capture shown in Figure 1.

A Brief Look at The IP

httpshuntioimagesblogsspotting-sparkratfig-3webp
Figure 3: Screenshot of SparkRAT C2 in Hunt

Located in Poland, 95.164.0[.]23 falls under the Stark Industries Solutions ASN, a netblock known for malicious activities. Focusing on such networks can significantly aid in hunting adversary infrastructure.

Additionally, considering server locations can provide context; for instance, a high concentration of servers in Asia is typical for Chinese-language C2 frameworks. It should be noted that the server's location can often depend on several factors (target locale, etc.).

httpshuntioimagesblogsspotting-sparkratfig-4webp
Figure 4: VirustTotal screenshot of suspected SparkRAT IP

VirusTotal finds four files communicating with our suspect IP and a self-signed TLS certificate.

For those without premium access to VirusTotal, let's look at one of the files in another sandbox, Hatching Triage.

SFX x2

The file we'll look at today (MD5: 3261cbac9f0ad69dd805bfd875eb0161) is a self-extracting (SFX) archive. This archive includes a batch file and another password-protected SFX file that ultimately deploys and launches the SparkRAT client. The initial file details and signatures are illustrated in Figure 5 below.

httpshuntioimagesblogsspotting-sparkratfig-5webp
Figure 5: File details of SparkRAT client (Source: Hatching Triage)

Figure 6 displays the outcomes of applying the command 'unrar t' to both SFX archives, illustrating the bundled files and password prompt.

httpshuntioimagesblogsspotting-sparkratfig-6webp
Figure 6: Screenshot of 'unrar t' command results on both files

To conclude, we will revisit VirusTotal, as the sandbox results offer a wealth of information, including crowdsourced Sigma and IDS rules. This detailed data will be instrumental in substantiating our assumption that the IP address we've been looking at is indeed a SparkRAT command and control (C2) server .

httpshuntioimagesblogsspotting-sparkratfig-7webp
Figure 7: VirusTotal screenshot of final SparkRAT payload

Conclusion

In this post, we've discussed various aspects of the SparkRAT framework, from its login mechanics to C2 communications. Our exploration included leveraging sandbox results to confirm our suspicions and identify an active controller in the wild.

SparkRAT is a freely available, multi-platform, feature-rich framework poised to remain a significant tool in the arsenals of cybercriminals and other threat actors. The Hunt Research Team will continue to monitor SparkRAT activities closely and work on enhancing our detections. We aim to share these advancements with our users soon, equipping them to better defend against such evolving threats.

We encourage you to apply for an account and discover how Hunt can enhance your defensive strategies against SparkRAT and similar threats.

File Indicators

FilenameSHA1
3261cbac9f0ad69dd805bfd875eb0161.exe3471247cffded4259b12593cce644c7c9470a4d2
1.bat316fa09f467ba90ac34a054daf2e92e6e2854ff8
work.exe4d30a84eda510596e528a7adbac23148618d5a62
iox.exe0095c9d4bc45fed4080e72bd46876efd
hesf.exe8f2df5c6cec499f65168fae5318dc572

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.