← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
VTA - Hackers use Golang source code interpreter to evade detection
WHITE DragonSpark Superpro 2023-01-24 Modified: 2023-02-23
22
IOCs
MEDIUM VOLUME
A Chinese-speaking hacking group tracked as ‘DragonSpark’ was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. The threat actor, DragonSpark relies on an open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more.
golangmeterpretercobalt strikezegostdragonsparksparkratc2 servergolang sourceshellcodeloaderchina chopperbase64golang malwarechinataiwanpythonpowershellmalwareleviathan
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
Zegost Cobalt Strike Meterpreter Golang
Indicators of Compromise (8 / 22 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
URL http://103.96.74.148:6699 2023-01-24
URL http://103.96.74.148:8899 2023-01-24
URL http://211.149.237.108:801/m6699.exe 2023-01-24
URL http://211.149.237.108:801/py.exe 2023-01-24
URL http://43.129.227.159:81/c.exe 2023-01-24
URL http://www.bingoplanet.com.tw/images/py.exe ce7127c38e30e92a021ed2bd09287713c6a923db9ffdb43f126e8965d777fbf0 2023-01-24
URL http://www.holybaby.com.tw/api/ms.exe 2023-01-24
URL https://www.moongallery.com.tw/upload/py.exe 5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133 2023-01-24
References (1)
↗ https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/