Saturday, February 8, 2025
Homecyber securityHackers Attacking Windows, macOS, and Linux systems With SparkRAT

Hackers Attacking Windows, macOS, and Linux systems With SparkRAT

Published on

SIEM as a Service

Follow Us on Google News

Researchers have uncovered new developments in SparkRAT operations, shedding light on its persistent use in malicious campaigns targeting macOS users and government organizations.

The findings, detailed in a recent report, underscore the evolving tactics of threat actors leveraging SparkRAT’s modular framework and cross-platform capabilities across Windows, macOS, and Linux.

SparkRAT’s Communication

Originally released on GitHub in 2022 by user XZB-1248, SparkRAT is a Remote Access Trojan (RAT) renowned for its adaptability, user-friendly web interface, and multi-platform compatibility.

The malware operates through a command-and-control (C2) server using WebSocket-based communication, transitioning to HTTP POST requests to verify updates from its repository.

SparkRAT
Example request for an upgrade in SparkRAT.

By default, C2 servers are configured on port 8000, a characteristic that facilitates detection of SparkRAT infrastructure.

Critical indicators have been identified, such as HTTP Basic Authentication prompts on suspected C2 panels and minimalistic HTTP response headers lacking details like Server and Content-Type.

Security analysts have emphasized the importance of analyzing JSON responses from C2 servers, which can reveal identifiers unique to SparkRAT deployments.

DPRK-Linked Campaigns

In November 2024, researchers linked SparkRAT to cyber espionage operations likely originating from North Korea (DPRK).

The campaign distributed the malware using domains masquerading as meeting platforms.

Advanced scans identified three active C2 servers with open directories hosting SparkRAT implants. Notable IPs involved in this activity include:

  • 152.32.138[.]108 (Seoul, Korea)
  • 15.235.130[.]160 (Singapore)
  • 118.194.249[.]38 (Seoul, Korea)

On one server, an exposed directory under /dev revealed malicious files such as client.bin (a SparkRAT binary) and scripts (dev.sh and test.sh) that leverage curl to download the payload.

SparkRAT
Commands in the dev.sh file.

The scripts execute the payload with chmod 777 permissions, facilitating persistence via configuration changes.

The SparkRAT binary, identified with a SHA-256 hash of cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56, establishes TCP connections with additional C2 infrastructure.

On other servers, similar binaries were discovered, featuring slight modifications but maintaining key malicious behaviors like frequent contact with port 8000.

An alarming discovery was made on a Vietnamese-facing gaming platform, one68[.]top, which distributed an Android APK linked to SparkRAT activity.

The APK initiates WebSocket connections through Cloudflare-protected servers, complicating attribution efforts.

Hunt noted the APK file (one68_1_1.0.apk, SHA-256: ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e) and associated its behavior with data exfiltration and persistent backdoor functionality.

SparkRAT demonstrates how easily adaptable infrastructure can support diverse malicious campaigns, from espionage to financial fraud.

The cross-platform nature of the toolkit, coupled with innovative delivery methods like gaming platforms, increases its potential attack surface.

Analysts recommend focusing on network observables such as unpopulated HTTP headers on port 8000 and specific JSON error messages during POST requests to identify SparkRAT C2 servers effectively.

By expanding detection capabilities and continuously monitoring SparkRAT’s infrastructure, defenders can disrupt the operations of adversaries and stem the proliferation of this persistent threat.

Further investigation remains ongoing to characterize additional SparkRAT binaries and C2 behaviors.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...