Cyber Affairs
No Result
View All Result
  • Login
  • Register
  • Home
  • Live Threat Map
  • Books
  • Careers
  • Latest
  • Podcast
  • Popular
  • Press Release
  • Reports
  • Tech Indexes
  • White Papers
  • Contact
  • AI
  • Cyber Crime
  • Intelligence
  • Laws & Regulations
  • Cyber Warfare
  • Hacktivism
  • More
    • Digital Influence Mercenaries
    • Digital Diplomacy
    • Electronic Warfare
    • Emerging Technologies
    • ICS-SCADA
    • Books
    • Careers
    • Cyber Crime
    • Cyber Intelligence
    • Cyber Laws & Regulations
    • Cyber Warfare
    • Digital Diplomacy
    • Digital Influence Mercenaries
    • Electronic Warfare
    • Emerging Technologies
    • Hacktivism
    • ICS-SCADA
    • News
    • Podcast
    • Reports
    • Tech Indexes
    • White Papers
COMMUNITY
NEWSLETTER
  • AI
  • Cyber Crime
  • Intelligence
  • Laws & Regulations
  • Cyber Warfare
  • Hacktivism
  • More
    • Digital Influence Mercenaries
    • Digital Diplomacy
    • Electronic Warfare
    • Emerging Technologies
    • ICS-SCADA
    • Books
    • Careers
    • Cyber Crime
    • Cyber Intelligence
    • Cyber Laws & Regulations
    • Cyber Warfare
    • Digital Diplomacy
    • Digital Influence Mercenaries
    • Electronic Warfare
    • Emerging Technologies
    • Hacktivism
    • ICS-SCADA
    • News
    • Podcast
    • Reports
    • Tech Indexes
    • White Papers
NEWSLETTER
No Result
View All Result
Cyber Affairs
No Result
View All Result
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • Reports
  • White Papers
Home News

Hackers Using Golang Source Code Interpreter To Bypass Detection

admin by admin
Jan 24, 2023
in News
0 0
A A
0
FacebookTwitterLinkedIn

Researchers uncovered a new uncommon technique employed by Chinese threat actors in which Golang Source Code Interpreter used to evade detection in the Dragonspark malware campaign.

DragonSpark is the first malicious campaign that utilizes SparkRAT, an open-source tool, and targets the victims residing in the t East Asian organizations.

SparkRAT is a RAT-based malware that has frequently been updated by threat actors with multi-platform, feature-rich functions and is created by Chinese-speaking developer XZB-1248.

Researchers understand that this campaign is a very strange and uncommon technique to use the Golang Source Code Interpreter via obfuscating malware implementations.

EHA

Also observed is that the actors behind this attack used this Golang-based malware to interpret embedded Golang source code as a run-time technique to harder to perform static analysis-based detection.

The DragonSpark attacks leverage hacked infrastructure located in China and Taiwan to stage SparkRAT along with other tools and malware.

After gaining successful access to the network, the threat actor conducted a variety of malicious activities, such as lateral movement, privilege escalation, and deployment of malware and tools hosted at attacker-controlled infrastructure, SentinelOne researchers said.

DragonSpark Attacks Infection Process

During the initial stage of the attack, attackers utilize the compromised web servers and MySQL database servers that are publicly available and inject the China Chopper webshell with the sequence of &echo [S]&cd&echo [E] in virtual terminal requests.

China Chopper is a well-known tool to inject the webshell by exploiting the vulnerabilities residing in the web server, XSS, and SQL injections.

Threat actors behind the DragonSpark heavily used the open source tools of the following along with SparkRAT :

SharpToken: a privilege escalation tool that enables the execution of Windows commands with SYSTEM privileges
BadPotato: a tool similar to SharpToken that elevates user privileges to SYSTEM for command execution.
GotoHTTP: a cross-platform remote access tool that implements a wide array of features, such as establishing persistence, file transfer, and screen view.

With the help of SparkRAT, Threat actors use the WebSocket protocol to communicate with the C2 server along with the auto-upgrading feature that allows the RAT to keep upgrading to the latest version available on the C2 server.

Golang Source Code Interpreter To Evade Detection

Along with the open source tools, attackers also used two custom-built malware to perform the malicious code execution of the following:

m6699.exe – Implemented in Golang.
ShellCode_Loader – Implemented in Python and delivered as a PyInstaller package.

m6699.exe, A Go-Lang malware utilizes the Yaegi framework to interpret at runtime encoded Golang source code stored within the compiled binary that eventually executed as if compiled. This technique has been used by this attack for hiding the static analysis.

The Go-lang malware’s main intention is to execute the first stage of shellcode which helps to implement the loader to drop and execute the second-stage shellcode.

When m6699.exe executes, the threat actor can establish a Meterpreter session for remote command execution.

A Meterpreter session with an m6699.exe instance

ShellCode_Loader is the internal name of a PyInstaller-packaged malware that is implemented in Python. ShellCode_Loader serves as the loader of a shellcode that implements a reverse shell.

“The shellcode creates a thread and connects to a C2 server using the Windows Sockets 2 library. When the shellcode executes, the threat actor can establish a Meterpreter session for remote command execution.”

A Meterpreter session with a ShellCode_Loader instance 

DragonSpark attacks leveraged infrastructure located in Taiwan, Hong Kong, China, and Singapore to stage SparkRAT and other tools and malware, Also the C2 server was observed to be located in Hong Kong and the United States.

Indicators of Compromise

Description Indicator
ShellCode_Loader (a PyInstaller package) 83130d95220bc2ede8645ea1ca4ce9afc4593196
m6699.exe 14ebbed449ccedac3610618b5265ff803243313d
SparkRAT 2578efc12941ff481172dd4603b536a3bd322691
C2 server network endpoint for ShellCode_Loader 103.96.74[.]148:8899
C2 server network endpoint for SparkRAT 103.96.74[.]148[:]6688
C2 server network endpoint for m6699.exe 103.96.74[.]148:6699
C2 server IP address for China Chopper 104.233.163[.]190
Staging URL for ShellCode_Loader hxxp://211.149.237[.]108:801/py.exe
Staging URL for m6699.exe hxxp://211.149.237[.]108:801/m6699.exe
Staging URL for SparkRAT hxxp://43.129.227[.]159:81/c.exe
Staging URL for GotoHTTP hxxp://13.213.41.125:9001/go.exe
Staging URL for ShellCode_Loader hxxp://www.bingoplanet[.]com[.]tw/images/py.exe
Staging URL for ShellCode_Loader hxxps://www.moongallery.com[.]tw/upload/py.exe
Staging URL for ShellCode_Loader hxxp://www.holybaby.com[.]tw/api/ms.exe

Network Security Checklist – Download Free E-Book

Read the full article here

ShareTweetSharePinShareShareSend

Related Articles

Understanding the Implications & Guarding Privacy- Axios Security Group
News

Understanding the Implications & Guarding Privacy- Axios Security Group

Hackers Actively Using Pupy RAT to Attack Linux Systems
News

Hackers Actively Using Pupy RAT to Attack Linux Systems

Buckle Up_ BEC and VEC Attacks Target Automotive Industry
News

Buckle Up_ BEC and VEC Attacks Target Automotive Industry

Chinese Chipmaker Nexperia: Gigabytes of Data Stolen
News

Chinese Chipmaker Nexperia: Gigabytes of Data Stolen

Popular VPN Software Flaw Let Attackers Crash the Systems
News

Popular VPN Software Flaw Let Attackers Crash the Systems

Hackers Customize LockBit 3.0 Ransomware To Attack Orgs Worldwide
News

Hackers Customize LockBit 3.0 Ransomware To Attack Orgs Worldwide

What Security Leaders Need to Know
News

What Security Leaders Need to Know

Iran launched a Cyberattack Against Critical Infrastructure in Israel
News

Iran launched a Cyberattack Against Critical Infrastructure in Israel

PuTTY Client Vulnerability Lets Attackers Recover Private Keys
News

PuTTY Client Vulnerability Lets Attackers Recover Private Keys

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended Stories

PoC Released For Critical Zero-Click Windows Vulnerability

PoC Released For Critical Zero-Click Windows Vulnerability

Developer Of Hive RAT Arrested By Authorities

Developer Of Hive RAT Arrested By Authorities

DuckDuckGo Launches Privacy Pro : 3-In-1 Service With VPN

DuckDuckGo Launches Privacy Pro : 3-In-1 Service With VPN

Palo Alto Networks PAN-OS Zero-day Under Active Attack

Palo Alto Networks PAN-OS Zero-day Under Active Attack

Match Systems publishes report on the consequences of CBDC implementation

Match Systems publishes report on the consequences of CBDC implementation

The most important cyber news and events of the day

Be the first to know latest important news & events directly to your inbox.

By signing up, I agree to our TOS and Privacy Policy.

Popular Stories

  • Fortinet Vulnerability Exploited To Deploy RMM Tools & Backdoor

    Fortinet Vulnerability Exploited To Deploy RMM Tools & Backdoor

    0 shares
    Share 0 Tweet 0
  • Malware Trends 2024 – Top Malware Families and Types

    0 shares
    Share 0 Tweet 0
  • French Football Club Ticketing System Targeted in Cyber Attack

    0 shares
    Share 0 Tweet 0
  • Singha Durbar server continues to face cyberattacks

    0 shares
    Share 0 Tweet 0
  • Argentina – Global Investigations Review

    0 shares
    Share 0 Tweet 0
Cyber Affairs

Cyber Affairs is your one-stop news website for the latest cyber crime, cyber warfare, and all cyber related news and updates, follow us to get the news that matters to you.

LEARN MORE »

Recent News

  • Understanding the Implications & Guarding Privacy- Axios Security Group
  • Hackers Actively Using Pupy RAT to Attack Linux Systems
  • Buckle Up_ BEC and VEC Attacks Target Automotive Industry

Topics

  • AI
  • Books
  • Careers
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • News
  • Podcast
  • Reports
  • Tech Indexes
  • Uncategorized
  • White Papers

Get Informed

The most important cyber news and events of the day

Be the first to know latest important news & events directly to your inbox.

By signing up, I agree to our TOS and Privacy Policy.

Copyright © 2022 Cyber Affairs. All rights reserved.

No Result
View All Result
  • Home
  • Cyber Crime
  • Cyber Intelligence
  • Cyber Laws & Regulations
  • Cyber Warfare
  • Digital Diplomacy
  • Digital Influence Mercenaries
  • Electronic Warfare
  • Emerging Technologies
  • Hacktivism
  • ICS-SCADA
  • Reports
  • White Papers

Copyright © 2022 Cyber Affairs. All rights reserved.

Welcome Back!

Login to your account below

Forgotten Password? Sign Up

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.