SparkRAT Malware Targeting Windows, MacOS, and Linux Systems

Security researchers have identified new developments in the SparkRAT (Remote Access Trojan) malware campaign, revealing expanded targeting of macOS systems and evolving delivery mechanisms.

This sophisticated malware, initially released on GitHub in 2022, has grown in popularity among threat actors due to its modular design, cross-platform compatibility, and web-based user interface.

Recent investigations have traced its use in ongoing cyberespionage campaigns linked to North Korean threat actors.

SparkRAT Operations

SparkRAT communicates with command-and-control (C2) servers using the WebSocket protocol and HTTP requests.

By default, it operates on port 8000, but configurations can vary. Detection efforts focus on default port behaviors and specific HTTP headers, such as the absence of standard fields like “Content-Type” and “Server” in responses.

These indicators, combined with upgrade request paths (e.g., /api/client/update?arch=*), aid in identifying SparkRAT infrastructure in the wild.

In recent analyses, researchers observed the malware’s persistence strategies on macOS systems.

A malicious binary, identified as client.bin, configures itself to execute every 10 minutes by creating a PLIST file in the /Users/run directory.

The binary establishes TCP connections to C2 servers, with additional evidence of its capabilities revealed through active scans of exposed directories hosting related files (e.g., dev.sh and test.sh).

macOS Campaign and Infrastructure Insight

The SparkRAT campaign shows traces of North Korean (DPRK) activity, with servers hosted on infrastructure in South Korea and Singapore.

Researchers found IPs linked to UCLOUD and OVH hosting providers, as well as domains such as gsoonmann[.]site and updatetiker[.]net.

These domains feature open directories with key artifacts, including client.bin and bash scripts used for distributing the malware.

The scripts download and execute SparkRAT binaries via curl, setting permissions to execute the malicious payload in the background.

One server located at 152.32.138[.]108 hosted SparkRAT binaries and bash scripts under the /dev directory.

Another server, 15.235.130[.]160, displayed similar behavior while using unique directory labels to obscure activity.

The malware’s adaptability and minimal operational security measures, such as using Let’s Encrypt TLS certificates and Namecheap-registered domains, reflect its operators’ efforts to maintain a covert infrastructure.

Additionally, threat actors leveraged a Vietnamese gaming platform, one68[.]top, to distribute an Android APK (one68_1_1.0.apk) associated with the campaign.

The APK initiated WebSocket connections to a C2 server, employing Cloudflare protection to conceal its origin, demonstrating the campaign’s cross-platform reach and deceptive delivery tactics.

SparkRAT’s continued presence highlights the dangers posed by modular malware designed for multi-platform exploitation.

Its use in cyberespionage campaigns against government entities and its association with evolving techniques such as leveraging fake meeting domains and open directories underline the sophistication of modern threat actors.

Hunt researchers emphasize the importance of proactive detection strategies, including monitoring default port 8000, tracking specific HTTP header patterns, and identifying anomalies in directory structures.

Efforts to disrupt SparkRAT infrastructure are ongoing, with teams scanning for additional servers while expanding detection beyond default configurations.

As SparkRAT remains active and adversaries refine their methods, organizations are urged to implement robust threat intelligence and monitoring solutions.

These measures are essential to mitigate the risks posed by this continuously evolving malware campaign.

Also Read:

Monti Ransomware Group Strikes Again: Two New Victims Revealed

See more