Researchers have uncovered new developments in SparkRAT operations, shedding light on its persistent use in malicious campaigns targeting macOS users and government organizations.
The findings, detailed in a recent report, underscore the evolving tactics of threat actors leveraging SparkRAT’s modular framework and cross-platform capabilities across Windows, macOS, and Linux.
SparkRAT’s Communication
Originally released on GitHub in 2022 by user XZB-1248, SparkRAT is a Remote Access Trojan (RAT) renowned for its adaptability, user-friendly web interface, and multi-platform compatibility.
The malware operates through a command-and-control (C2) server using WebSocket-based communication, transitioning to HTTP POST requests to verify updates from its repository.
By default, C2 servers are configured on port 8000, a characteristic that facilitates detection of SparkRAT infrastructure.
Critical indicators have been identified, such as HTTP Basic Authentication prompts on suspected C2 panels and minimalistic HTTP response headers lacking details like Server and Content-Type.
Security analysts have emphasized the importance of analyzing JSON responses from C2 servers, which can reveal identifiers unique to SparkRAT deployments.
DPRK-Linked Campaigns
In November 2024, researchers linked SparkRAT to cyber espionage operations likely originating from North Korea (DPRK).
The campaign distributed the malware using domains masquerading as meeting platforms.
Advanced scans identified three active C2 servers with open directories hosting SparkRAT implants. Notable IPs involved in this activity include:
- 152.32.138[.]108 (Seoul, Korea)
- 15.235.130[.]160 (Singapore)
- 118.194.249[.]38 (Seoul, Korea)
On one server, an exposed directory under /dev revealed malicious files such as client.bin (a SparkRAT binary) and scripts (dev.sh and test.sh) that leverage curl to download the payload.
The scripts execute the payload with chmod 777 permissions, facilitating persistence via configuration changes.
The SparkRAT binary, identified with a SHA-256 hash of cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56, establishes TCP connections with additional C2 infrastructure.
On other servers, similar binaries were discovered, featuring slight modifications but maintaining key malicious behaviors like frequent contact with port 8000.
An alarming discovery was made on a Vietnamese-facing gaming platform, one68[.]top, which distributed an Android APK linked to SparkRAT activity.
The APK initiates WebSocket connections through Cloudflare-protected servers, complicating attribution efforts.
Hunt noted the APK file (one68_1_1.0.apk, SHA-256: ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e) and associated its behavior with data exfiltration and persistent backdoor functionality.
SparkRAT demonstrates how easily adaptable infrastructure can support diverse malicious campaigns, from espionage to financial fraud.
The cross-platform nature of the toolkit, coupled with innovative delivery methods like gaming platforms, increases its potential attack surface.
Analysts recommend focusing on network observables such as unpopulated HTTP headers on port 8000 and specific JSON error messages during POST requests to identify SparkRAT C2 servers effectively.
By expanding detection capabilities and continuously monitoring SparkRAT’s infrastructure, defenders can disrupt the operations of adversaries and stem the proliferation of this persistent threat.
Further investigation remains ongoing to characterize additional SparkRAT binaries and C2 behaviors.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free