lazarusholic

Everyday is lazarus.dayβ

Unmasking SparkRAT: Detection & macOS Campaign Insights

2025-01-28, Hunt.io
https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections
#SparkRAT #macOS

Contents

SparkRAT: Server Detection, macOS Activity, and Malicious Connections
Published on
Published on
Published on
Jan 28, 2025
Jan 28, 2025
Jan 28, 2025
SparkRAT, first released on GitHub in 2022 by user XZB-1248, remains a favored tool due to its modular design, web-based user interface, and cross-platform support for Windows, macOS, and Linux systems. The malware has been deployed as a post-exploitation tool in campaigns associated with CVE-2024-27198 and observed in cyber espionage operations targeting government organizations. In our previous post from April last year titled "Spotting SparkRAT: Detection Tactics & Sandbox Findings", we provided a high-level overview of the RAT, analyzing an implant and its C2 server.
In this post, we will:
Share techniques on detecting SparkRAT servers in the wild.
Examine a recent sighting: An extension of a suspected DPRK campaign targeting macOS users.
Understanding SparkRAT Communications and Detection
Developed in Golang, SparkRAT leverages the WebSocket protocol to communicate with the command-and-control server. Following this, the malware moves to HTTP, …

IoC

http://gmnormails.site
http://gmoosomnoem.site
http://51.79.218.159.While
http://henho247.net
http://remote.henh247.net
http://updatetiker.net
http://152.32.138.108
http://one68.top/client
http://gmoocsoom.site
http://118.194.249.38
http://nasanecesoi.site
http://gnmoommle.space
http://namerowem.site
http://gmoonsom.site
http://15.235.130.160
http://ggnmcomas.site
http://updatetiker.site
http://one68.top
http://updatetiker.site/dev/client.bin
http://remote.henho247.net
http://gsoonmann.site
http://gomncomow.site
http://gmcomamz.site
http://51.79.218.159:8000
http://mncomgom.site
http://51.79.218.159
http://gooczmmnc.site
138.108.118.194.249
[email protected]
[email protected]
ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e
cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56
52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15