Stealthy New Loader Helps SPARKRAT Malware Evade Detection

Cybersecurity researchers at Kroll have unveiled a worrisome advancement in the notorious SPARKRAT malware toolkit. A new, never-before-seen loader written in Golang is being actively used to sneak SPARKRAT onto targeted systems, allowing the malware to fly under the radar of traditional security tools.

How the Loader Works

Kroll describes a sophisticated process:

• Disguise and Deception: The loader uses several layers of camouflage. The malware payload is disguised within two DLL files, one cleverly named to mimic legitimate Windows components. The payload itself is both Base64 encoded and AES encrypted.

• Code Injection: The loader works by injecting the decrypted, malicious code directly into a seemingly harmless Windows process like Notepad, making it incredibly difficult for security solutions to distinguish the threat from normal activity.

The SPARKRAT Connection

SPARKRAT was introduced to the world by a GitHub developer, XZB-1248, as an open-source, feature-rich remote administration tool. Compiled for multiple platforms, SPARKRAT was initially intended as a benign tool. However, the project was abandoned in February 2023, but not before it caught the attention of cybercriminals. Modified versions of SPARKRAT began surfacing in various intrusion investigations, notably in the “DRAGONSPARK” campaign targeting organizations across East Asia. The malware’s ability to interpret its embedded Golang source code at runtime complicates its analysis and evades static detections, marking a significant challenge for cybersecurity defenses.

Kroll’s research reveals that this new loader isn’t limited to SPARKRAT; they’ve found versions containing Cobalt Strike – a powerful penetration testing framework often misused by hackers.

The loader’s process begins with two files, Ntmssvc.dll and RemovableStorage.dll, with the former containing the loader functionality and the latter serving as the payload. Through a series of Base64 decoding and AES 192-bit encryption steps, the loader prepares the payload for injection. The stealthy brilliance of this loader lies in its second stage, where it deciphers the payload data, eventually injecting it into a notepad.exe instance. This not only allows the malware to hide in plain sight but also to execute the SPARKRAT payload seamlessly as part of a legitimate application.

LESLIELOADER – Undocumented Loader

Interestingly, a source code repository bearing similarity to LESLIELOADER, complete with instructions for payload utilization, surfaced around June 2022. While showing parallels, key differences were noted, such as the absence of network beaconing and process injection in the LESLIELOADER samples observed by Kroll. These distinctions underscore the adaptability of threat actors in modifying existing tools to evade detection and enhance the effectiveness of their campaigns.

Implications and Mitigation

The discovery of the SPARKRAT loader underscores the continuous evolution of cyber threats and the ingenuity of threat actors in exploiting systems. The use of legitimate system processes for malware delivery poses a significant challenge to existing cybersecurity measures, emphasizing the need for dynamic and adaptive defense mechanisms. Organizations must invest in advanced detection tools capable of identifying and mitigating such sophisticated threats.