Cyber Security News

Hackers Attacking Windows, macOS, and Linux systems With SparkRAT

Researchers have uncovered new developments in SparkRAT operations, shedding light on its persistent use in malicious campaigns targeting macOS users and government organizations.

The findings, detailed in a recent report, underscore the evolving tactics of threat actors leveraging SparkRAT’s modular framework and cross-platform capabilities across Windows, macOS, and Linux.

SparkRAT’s Communication

Originally released on GitHub in 2022 by user XZB-1248, SparkRAT is a Remote Access Trojan (RAT) renowned for its adaptability, user-friendly web interface, and multi-platform compatibility.

The malware operates through a command-and-control (C2) server using WebSocket-based communication, transitioning to HTTP POST requests to verify updates from its repository.

Example request for an upgrade in SparkRAT.

By default, C2 servers are configured on port 8000, a characteristic that facilitates detection of SparkRAT infrastructure.

Critical indicators have been identified, such as HTTP Basic Authentication prompts on suspected C2 panels and minimalistic HTTP response headers lacking details like Server and Content-Type.

Security analysts have emphasized the importance of analyzing JSON responses from C2 servers, which can reveal identifiers unique to SparkRAT deployments.

DPRK-Linked Campaigns

In November 2024, researchers linked SparkRAT to cyber espionage operations likely originating from North Korea (DPRK).

The campaign distributed the malware using domains masquerading as meeting platforms.

Advanced scans identified three active C2 servers with open directories hosting SparkRAT implants. Notable IPs involved in this activity include:

  • 152.32.138[.]108 (Seoul, Korea)
  • 15.235.130[.]160 (Singapore)
  • 118.194.249[.]38 (Seoul, Korea)

On one server, an exposed directory under /dev revealed malicious files such as client.bin (a SparkRAT binary) and scripts (dev.sh and test.sh) that leverage curl to download the payload.

Commands in the dev.sh file.

The scripts execute the payload with chmod 777 permissions, facilitating persistence via configuration changes.

The SparkRAT binary, identified with a SHA-256 hash of cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56, establishes TCP connections with additional C2 infrastructure.

On other servers, similar binaries were discovered, featuring slight modifications but maintaining key malicious behaviors like frequent contact with port 8000.

An alarming discovery was made on a Vietnamese-facing gaming platform, one68[.]top, which distributed an Android APK linked to SparkRAT activity.

The APK initiates WebSocket connections through Cloudflare-protected servers, complicating attribution efforts.

Hunt noted the APK file (one68_1_1.0.apk, SHA-256: ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e) and associated its behavior with data exfiltration and persistent backdoor functionality.

SparkRAT demonstrates how easily adaptable infrastructure can support diverse malicious campaigns, from espionage to financial fraud.

The cross-platform nature of the toolkit, coupled with innovative delivery methods like gaming platforms, increases its potential attack surface.

Analysts recommend focusing on network observables such as unpopulated HTTP headers on port 8000 and specific JSON error messages during POST requests to identify SparkRAT C2 servers effectively.

By expanding detection capabilities and continuously monitoring SparkRAT’s infrastructure, defenders can disrupt the operations of adversaries and stem the proliferation of this persistent threat.

Further investigation remains ongoing to characterize additional SparkRAT binaries and C2 behaviors.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Threat Actors Exploiting AES Encryption for Stealthy Payload Protection

Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES) encryption…

8 hours ago

33.3 Million Cyber Attacks Targeted Mobile Devices in 2024 as Threats Surge

Kaspersky's latest report on mobile malware evolution in 2024 reveals a significant increase in cyber…

8 hours ago

Routers Under Attack as Scanning Attacks on IoT and Networks Surge to Record Highs

In a concerning trend, the frequency of scanning attacks targeting Internet of Things (IoT) devices…

8 hours ago

Google Launches Shielded Email to Keep Your Address Hidden from Apps

Google is rolling out a new privacy-focused feature called Shielded Email, designed to prevent apps and…

13 hours ago

Hackers Using PowerShell and Microsoft Legitimate Apps to Deploy Malware

Cybersecurity experts are warning of an increasing trend in fileless attacks, where hackers leverage PowerShell…

15 hours ago

JavaGhost: Exploiting Amazon IAM Permissions for Phishing Attacks

Unit 42 researchers have observed a threat actor group known as JavaGhost exploiting misconfigurations in…

15 hours ago