SparkRAT

SparkRAT is a cross-platform Remote Access Trojan (RAT) written in GoLang. Once installed on a victim’s machine it can execute commands, control files and processes, download additional payloads and gather information from the infected system, including screenshots. Its multi-platform support and feature rich makes it a great tool for attackers.

Key Insights

SparkRAT is designed to work on multiple operating systems (Windows, Linux, macOS). It has many features like command execution, system manipulation, file and process management and information theft. The tool is frequently updated with new features so it’s a great tool for attackers looking for a versatile and up-to-date tool.

Deployment and Evasion Techniques

Threat actors have been observed deploying SparkRAT in sophisticated attacks, like the DragonSpark campaign targeting East Asian organizations. In these attacks, attackers used Golang source code interpretation at runtime to prevent static analysis and evasion of detection mechanisms. This uncommon technique adds an extra layer of obfuscation making it harder for security solutions to detect and mitigate the threat.

Command and Control Communication

SparkRAT communicates with its operators through command and control (C2) servers, usually using the WebSocket protocol. This C2 channel allows attackers to send commands, receive exfiltrated data and manage the infected system remotely. Using standard protocols and ports helps the malware to blend in with legitimate traffic and evade network based detection.

Known Variants

SparkRAT itself is a unique tool but being open source it can be modified and customized. Security researchers have seen it used with other tools and malware in different campaigns so it’s likely threat actors will adapt it to their needs. But there is limited documentation on specific SparkRAT variants.

Mitigation Strategies

Network Monitoring: Monitor for unusual traffic patterns especially WebSocket traffic.
Endpoint Protection: Deploy advanced endpoint detection and response solution that can detect and block RAT.
Patch Management: Update systems and applications to prevent initial access exploitation.
User Training: Educate users about phishing and social engineering attacks that lead to malware installation.

Targeted Industries or Sectors

SparkRAT has been seen in attacks against East Asian organizations, particularly in the DragonSpark campaign. The targeted sectors are technology, government and other industries with valuable data. Its cross-platform nature makes it applicable to a wide range of targets depending on the attackers’ objectives.

Associated Threat Actors

The DragonSpark attacks show that Chinese speaking threat actors are using SparkRAT. The campaign is using compromised infrastructure in China and Taiwan to drop SparkRAT along with other tools and malware. While attribution is not specific, the consistent use of SparkRAT in these attacks means it’s gaining popularity among some threat groups.