Image: Annie Spratt

Large East Asian companies attacked with SparkRAT open source tool

Large companies in East Asia are being attacked with an open source tool named SparkRAT, according to a new report. 

Researchers from SentinelLabs told The Record that they have been tracking a hacking group named “DragonSpark” since October due to its frequent attacks on large companies, which they did not name, and its ability to continually evolve. 

“Many victim organizations have a large customer base, leading to the belief that the threat actors may be targeting customer data for criminal or other purposes. Currently, the DragonSpark attack cluster is considered to be opportunistic in nature,” the researchers told The Record. 

The researchers said their study reiterates that threat actors continue to innovate with open source tools that allow them to better evade detection and obfuscate their goals.

Hackers have adopted SparkRAT due to its practicality, they said. The remote access Trojan (RAT) is a readily-available, feature-rich and multi-platform tool.

Research found that a Chinese-speaking actor is likely behind the DragonSpark attacks, and the hackers are using compromised infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.

Microsoft released its own report on SparkRAT in December, warning of several actors using the tool. 

DragonSpark typically targets web and database servers exposed to the internet and uses a variety of tools in their attacks to gain access to environments and move laterally. 

They rely heavily on open source tools provided by Chinese-speaking developers or vendors, including the privilege escalation tools SharpToken and BadPotato, alongside SparkRAT. SharpToken allows hackers to add, delete, or change the passwords of system users, according to SentinelOne

SparkRAT stands out among the tools used by the group because of the wide range of actions it enables. SentinelLabs researchers found that it allows hackers to shut down a system, restart it or put it in hibernation. Users can delete or download files and exfiltrate platform information. 

“The DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware. The C2 servers were located in Hong Kong and the United States,” the researchers said. 

“The malware staging infrastructure includes compromised infrastructure of legitimate Taiwanese organizations and businesses, such as a baby product retailer, an art gallery, and games and gambling websites.”

The researchers were unable to identify the group’s motivations but said it may range from cybercrime to espionage. Some of its tools are used by Chinese cybercriminals while others are used as part of espionage campaigns. 

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.