Unmasking Sparkrat: Detection & Macos Campaign Insights
Thumbnail
SparkRAT, a persistent remote access tool that emerged in 2022, is frequently employed in cyber espionage campaigns against government entities. This article outlines its communication methods, detection strategies, and the infrastructure linked to its distribution, particularly in ongoing attacks associated with North Korean threat actors. The findings reveal various tactics for deploying this malware, emphasizing its adaptability and the use of real-time tracking tools to combat its presence. Affected: government organizations, entities associated with cyber espionage

Keypoints :

  • SparkRAT was first released on GitHub in 2022 and is known for its modular design and cross-platform support.
  • It has been involved in cyber espionage operations targeting government organizations.
  • The malware employs the WebSocket protocol for communication with its command-and-control (C2) server, then switches to HTTP for version checks.
  • HTTP Basic Authentication secures access to its C2 server panel.
  • Unique response headers can help identify SparkRAT deployments during investigation.
  • Active campaigns delivering SparkRAT have been traced back to North Korean actors.
  • Several IP addresses and associated domains have been identified, indicating ongoing operations using SparkRAT.
  • Suspected distribution tactics include the use of fake meeting pages and domains.
  • Malicious files and scripts associated with SparkRAT were discovered in exposed directories.
  • Research continues to refine detection methods and scanning techniques to uncover more SparkRAT infrastructure.

MITRE Techniques :

  • T1071.001 (Application Layer Protocol: Web Protocols): SparkRAT employs WebSocket for initial communication with C2 servers.
  • T1071.002 (Application Layer Protocol: HTTPS): Utilizes HTTP POST requests for version checks.
  • T1046 (Network Service Discovery): Scanning for command-and-control servers and identifying active SparkRAT infrastructure.
  • T1051 (Process Injection): The malware executes commands and other processes to establish persistence and control on infected systems.

Indicator of Compromise :

  • [IP Address] 152.32.138[.]108
  • [IP Address] 15.235.130[.]160
  • [IP Address] 118.194.249[.]38
  • [SHA-256] client.bin cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56
  • [SHA-256] client.bin 52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15

Full Story: https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections