SparkRAT Being Distributed Within a Korean VPN Installer

AhnLab Security Emergency response Center (ASEC) has recently discovered SparkRAT being distributed within the installer of a certain VPN program. SparkRAT is a Remote Administration Tool (RAT) developed with GoLang. When installed on a user’s system, it can perform a variety of malicious behaviors, such as executing commands remotely, controlling files and processes, downloading additional payloads, and collecting information from the infected system like by taking screenshots.

1. Case of Distribution

The VPN provider, whose installer contained SparkRAT appears to have been in operation since the past, as seen in the signed certificates of the files and notices on their official website. Therefore, it is clear that the current website was not created specifically for distributing malware as the distribution of an installer with malware inside of it was discovered recently.

Figure 1. Official website of the VPN containing SparkRAT

The installer is only available in Korean, but the official website of the VPN supports English, Chinese, and Japanese. According to their notice, it can be assumed that many people in China install the program to ensure smooth Internet access. In fact, even in our own AhnLab Smart Defense (ASD) logs, we have observed a higher number of installations from users in China compared to Korea.

Figure 2. Process tree

The file downloaded from the official website is not the previously confirmed installer, but rather a dropper created using .NET. The dropper has the original VPN installer and the malware stored in its resources. When executed, it generates the malware in the path %LOCALAPPDATA%\Syservices\svchost.exe before launching it.

Figure 3. Malware and installer saved in resources

In addition, since the original VPN installer is created and launched along with the malware, it is difficult for users to recognize that malware had been installed, and are led to believe that the VPN installer was executed without issue. Furthermore, the malware is registered in the task scheduler to ensure it will be executed even after system reboots.

Figure 4. Generated files and the executed VPN installer

The malware created under the name “svchost.exe” is also a dropper. It bears similarities to the aforementioned dropper in that it contains SparkRAT within its resources. Its function is to generate the malware as “svch.exe” in the same directory and execute it.

Figure 5. Similarly structured dropper that creates SparkRAT

2. SparkRAT

SparkRAT is an open-source RAT malware that is publicly available on GitHub. Notable for being developed with GoLang, SparkRAT provides basic features commonly found in RAT malware, such as executing commands, stealing information, and controlling processes and files.

Figure 6. SparkRAT source code publicly available on GitHub

Due to its support for various platforms, the GoLang is commonly used to develop malware that targets not only Windows but also Linux and MacOS. Similarly, SparkRAT supports all three operating systems and provides categorized features based on each platform, as shown in the following table.

Figure 7. Features offered for each platform

As shown in the above GitHub page, another notable feature of SparkRAT is its support for the Chinese language. The developer is also known for their ability to use Chinese. [1] In the past, SentinelOne had covered the DragonSpark attack campaign that used SparkRAT and made the assumption that the threat actors were fluent in Chinese. While it is not possible to identify the specific threat actor, it is worth noting that the VPN used in the current attack is also a program commonly used in China.

The SparkRAT used in the attacks was not obfuscated, making it easy to distinguish based on the used function names. SparkRAT decrypts the configuration data and retrieves information such as the C&C address and port number from the initialization function, main.init().

Figure 8. SparkRAT that has not been obfuscated

Figure 9. Decrypted configuration data of SparkRAT

Additionally, while checking related files through the company’s ASD logs, ASEC discovered additional malware through the installer malware believed to be this VPN. These malware samples are suspected to have been distributed around the same time and are notable for their use of SparkRAT based on x86 architecture.

Figure 10. Configuration data of x86 SparkRAT

In addition, while the x64 version of SparkRAT used the https protocol, the x86 version used http, which allows the following unencrypted packets to be observed.

Figure 11. Packet communication of x86 SparkRAT

3. Conclusion

ASEC has recently confirmed cases where SparkRAT was distributed within VPN installers. It is suspected that the threat actor hacked a legitimate VPN service to distribute their malware. When users download and install the malicious installer from the official website, the installer not only installs SparkRAT but also the original VPN installer, rendering it difficult for users to notice that they have been infected by malware. Users must practice caution by updating V3 to the latest version to block malware infection in advance.

File Detection
– Dropper/Win.Agent.C5421402 (2023.05.03.00)
– Trojan/Win.Malware-gen.R557808 (2023.02.11.01)
– Dropper/Win.Agent.C5421380 (2023.05.03.00)
– Trojan/Win.Generic.C5228761 (2022.08.28.00)
– Dropper/Win.SparkRAT.C5421465 (2023.05.03.01)
– Backdoor/Win.SparkRAT.C5421466 (2023.05.03.01)

IOC
MD5
– 2e3ce7d90d988e1b0bb7ffce1731b04b: Malicious installer downloaded from the official website (167775071_dJABfPme_[…..]VPNSetup1.0.4.3.exe)
– b571d849c0cb3c7af1cee6990654972b: Dropper generated by the malicious installer (svchost.exe)
– 5b78c44262ebcb4ce52e75c331683b5b: SparkRAT x64 (svch.exe)
– a5950704dfa60ba5362ec4a8845c25b2: Malicious installer (167780244_4sfjr6so_[…..]vpnsetup1.0.4.3.exe)
– 7923f9e0e28ceecdb34e924f2c04cda0: Malicious installer – SparkRAT x86 (167775071_gbyri71h_167775186_nyc0wzmq_[…..]vpnsetup1.0.4.3.exe)
– e4805cbd59fe793c48f6341f3d1e5466: SparkRAT x86 (svh.exe)
– 54dd763bca743cbdbdfe709d9ab1d0db: SparkRAT x86 (svh.exe)

C&C
– gwekekccef.webull[.]day:443: SparkRAT x64
– 59.22.167[.]217:34646: SparkRAT x86

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post SparkRAT Being Distributed Within a Korean VPN Installer appeared first on ASEC BLOG.

Article Link: https://asec.ahnlab.com/en/52899/