[{"content":"A guide for deploying Telekom\u0026rsquo;s awesome multi-honeypot T-Pot on Azure.\nAzure VM Deployment Create a resource \u0026gt; select Ubuntu Server 24.04 LTS or Debian 12 \u0026quot;Bookworm\u0026quot;\nNote: Ubuntu was less \u0026ldquo;problematic\u0026rdquo;, Debian was slightly (negligible) more performant. I went with Debian for this tutorial, but most steps should apply to both. Basics Virtual Machine Name: tpot Region: East US 2 Availibility Zone: 1 Image: Debian 12 \u0026quot;Bookworm\u0026quot; - Gen2 VM architecture: x64 Size: Standard B4ms (4 vcpus, 16 GiB memory) Authentication type: SSH public key Public inbound ports: none Note: To save costs, it may be possible to run T-Pot on 2 cores, 8GB RAM - though this would require tweaking Logstash/Elasticsearch (A T-Pot Hive install on a fresh server idles around 7.9-8.5 GB RAM usage). Note: You can allow immediate remote access via port 22 during this setup, but this port will be exposed to ALL external IPs. For this reason, I suggest setting \u0026lsquo;Public inbound ports\u0026rsquo; to None and then creating a more restricted, temporary NSG rule after deploying the VM (see Install step #1). Note: You can select \u0026lsquo;Generate new key pair\u0026rsquo; here if you want to use a new SSH key for accessing this VM. Put this key in your local .ssh folder. If on *nix, you may need to restrict its permissions with sudo chmod 400 {generated key name}.pem Disks OS Disk size: 128 GiB OS Disk type: Standard SSD LRS Delete with VM: Enabled Note: Though the offical documentation says SSD storage is required, I found this to work fine on Standard HDD. Networking Virtual network: tpot-vnet Subnet: default (10.0.0.0/24) Public IP: tpot-ip Accelerated networking: On Delete with VM: Enabled Note: T-Pot expects your virtual network subnet (internal) to be a /24 (255.255.255.0) Installing T-Pot Create temporary SSH firewall rule (VM \u0026gt; Side Panel \u0026gt; Networking \u0026gt; Settings \u0026gt; (+) Create Port Rule \u0026gt; Inbound) SSH into the VM\nAs non-root, cd $HOME and run the following command (please verify this has not changed):\nenv bash -c \u0026quot;$(curl -sL https://github.com/telekom-security/tpotce/raw/master/install.sh)\u0026quot; Note: If unattended-upgrades.service is running (check with sudo systemctl status unattended-upgrades.service), you may need to stop it temporarily to avoid \u0026lsquo;dpkg frontend lock\u0026rsquo; errors: sudo systemctl stop unattended-upgrades.service During install: T-Pot install type: \u0026lsquo;h\u0026rsquo; Document your chosen web username/password. You will need this to login to the T-Pot Web Dashboard. Even though Azure NSG rules restrict access, make sure to have a strong web user password (e.g. 30+ char alhpa-numeric). System Tweaks $ nano /etc/ssh/sshd_config change: PasswordAuthentication {} --\u0026gt; PasswordAuthentication no $ sudo apt install unattended-upgrades $ sudo systemctl enable --now unattended-upgrades.service $ sudo crontab -e # cleanup 0 2 * * 0 apt autoremove --purge \u0026amp;\u0026amp; apt autoclean -y (if your VM has exim4 installed, it will compete with some of the honeypots for port 25) $ sudo systemctl disable --now exim4-base.timer exim4-base.service exim4.service $ sudo apt purge exim4* NSG Firewall Rules Delete the temporary SSH rule created for initial access Inbound: Source: My IP address Source IP addresses/CIDR ranges: {your public IP} Source port ranges: * Destination: Any Service: Custom Destination port ranges: 64294, 64295, 64297 Protocol: Any Action: Allow Priority: 100 Name: Allow-TpotMgmt-Inbound Description: Allow SSH and Web Dashboard access from My IP. Source: My IP address Source IP addresses/CIDR ranges: {your public IP} Source port ranges: * Destination: Any Service: Custom Destination port ranges: 19,21,22,23,25,42,53,69,80,102,110,123,135,143,161,389,443,445,502,623,631,993,995,1025,1080,1433,1521,1723,1883,1900,2404,2575,3000,3306,3389,5000,5060,5432,5555,5900,6379,6667,8080,8081,8090,8443,9100,9200,10001,11112,11211,25565,44818,47808,50100 Protocol: Any Action: Allow Priority: 110 Name: Allow-BadTraffic-Inbound Description: Expose honeypot ports to the internet. Outbound: Source: Any Source port ranges: * Destination: Any Service: Custom Destination port ranges: 80, 443, 11434 Protocol: Any Action: Allow Priority: 120 Name: Allow-TpotMgmt-Outbound Description: Allow outbound management traffic. Test Access SSH: ssh {username}@{Azure VM Public IP} -p 64295 or ssh {username}@{Azure VM Public IP} -i ~/.ssh/{generated key name}.pem -p 64295 if you\u0026rsquo;re using a new key.\nWeb Dashboard: https://{Azure VM Public IP}:64297 (bookmark this)\nKibana Attack Map SpiderFoot Threat Intelligence Administration File Transfer Upload to T-Pot server\nscp -i {key name} -P 64295 -r {file or folder to upload} {T-Pot username}{\u0026lt;server IP}:{remote target path} Download from T-Pot server\nscp -i {key name} -P 64295 -r {T-Pot username}@{server IP}:{file or folder to download} {local target path} Verify that the file/folder to be downloaded has group (tpot) read access:\nchmod g+r /home/csadmin/tpotce/data/dionaea/binaries/* Creating New Web Users Option 1\n/home/\u0026lt;local user\u0026gt;/tpotce/genuser.sh htpasswd /home/\u0026lt;local user\u0026gt;/tpotce/data/nginx/conf/nginxpasswd \u0026lt;new user\u0026gt; Verify: cat /home/\u0026lt;local user\u0026gt;/tpotce/data/nginx/conf/nginxpasswd to make sure there is an entry for \u0026lt;new user\u0026gt; Option 2\nhtpasswd -n -b 'username' 'password' | base64 -w0 - This will output a base64 string that should be pasted into ~/tpotce/.env for permanent web users vi ~/tpotce/.env Edit WEB_USER={base64 string here} If there are multiple web users separate b64 strings with a space: WEB_USER={base64 string} {base64 string} Note: For some reason, Option 1 would not create permanent web users (resets after scheduled tpot.service restart)\nNote: All created users will have admin/edit privileges on the Kibana dashboard. If desired, a separate Elastic instance can be connected to T-Pot for more custom authorization.\nChanging the T-Pot Web UI Password: htpasswd /home/\u0026lt;local user\u0026gt;/tpotce/data/nginx/conf/nginxpasswd \u0026lt;web username\u0026gt; Verify: htpasswd -v /home/\u0026lt;local user\u0026gt;/tpotce/data/nginx/conf/nginxpasswd \u0026lt;web username\u0026gt; Creating a Kibana Dashboard Visualization \u0026hellip;\nGreedyBear Feed Generation \u0026hellip;\nOpenCTI Threat Intelligence Correlation \u0026hellip;\nSplunk Integration \u0026hellip;\nTroubleshooting To check for TPot-related errors: journalctl -u tpot -f sudo systemctl status tpot.service To check for port bind conflicts that will force-restart tpot.service: sudo netstat -tulpen or sudo ss -tunlap To determine processes reponsible for port conflicts on a specified port: sudo fuser {port}/tcp(udp) to get the PID(s) of processes using this port, then ps -p {PID} You may need to manually set DNS/nameservers in case of port 53 conflict: sudo systemctl disable --now systemd-resolved.service sudo nano /etc/resolve.conf --- 127.0.0.1 {hostname} nameserver 8.8.8.8 nameserver 8.8.4.4 ","permalink":"https://iw-sec.github.io/posts/azure-tpot/","summary":"A guide for deploying Telekom\u0026rsquo;s awesome multi-honeypot T-Pot on Azure.","title":"T-Pot Honeypot on Azure"},{"content":"Targeted Entities This campaign does not target any specific industry and has been observed attacking a wide variety of individuals and organizations. However, the malware utilized by this campaign (njRAT) was found to have originated in the Middle East and is primarily used to target Arabic-speaking countries [1][7].\nIntroduction Part of the Microsoft Azure official toolkit and used by developers to test apps and sync local testing environments securely over the internet, the ‘dev tunnels’ service has made a surprising appearance in a recent threat campaign leveraging a new variant of the popular njRAT Remote Access Trojan [9]. A blog post published on the SANS Internet Storm Center by security researcher Xavier Mertens (@xme) announced the discovery of the malware, highlighting its creative use of Microsoft\u0026rsquo;s dev tunnels for communication between infected devices and identified command-and-control (C2) servers [8].\nMertens says he spotted this strain of njRAT sending continuous status updates to C2 servers via dev tunnel URLs. A deeper analysis of captured samples revealed hardcoded server listening ports, the suspected botnet name, client version and capabilities of the malware [8].\nReconstructed code showing client connection initiation, ‘OK.HH’ stores a dev tunnel URL (Source: SANS Internet Storm Center) JSON extraction of recent njRAT sample (Source: SANS Internet Storm Center) In his findings, he also discusses the ability of this malware to detect and propagate to external hard drives via USB. Shown in the code snippet below, if the ‘OK.usb’ variable is set to True, the malware will attempt to copy itself to any mounted USB devices [8].\nReconstructed code showing USB propagation ability (Source: SANS Internet Storm Center) Background First observed in 2012, njRAT has become one of the most widely accessible Remote Access Trojan (RATs) on the market. It features an abundance of educational information with many tutorials available online [1]. This, combined with its open-source nature, has ranked it among the most popular RATs in the world. According to ANY.RUN, a prominent online malware analysis service, the njRAT malware family currently holds the #2 spot for all time total submission count [3]. Though historically used for browser cookie and credential theft, njRAT boasts a wide range of capabilities including keylogging, webcam/screen recording, cryptocurrency theft and wallet enumeration, registry modifications, file uploads, and USB drive propagation [7].\nThe use of legitimate services to mask command and control communication and data exfiltration, often called ‘C2 tunneling’, is hardly a novel concept. Cloudflare Tunnel (cloudflared), ngrok, and the DNS protocol, have and continue to be exploited by bad actors to conceal this malicious network activity [6]. Interestingly, previous njRAT campaigns have also abused services like Pastebin for C2 tunneling, only this time, there is the added certificate authority trust inherited by routing traffic through Microsoft’s Azure infrastructure [5]. However, the use of dev tunnels for stealth data exfiltration has existed as a proof of concept as early as 2023, when the tool was first released alongside Visual Studio 2022 v17.6 [4][10].\nThe setup of dev tunnels for C2 redirection is a relatively straightforward process. The threat actor needs only a valid GitHub or Microsoft account and the free executable available on Windows, MacOS, and Linux [11]. With that, they would need to authenticate via the tool with one of the following commands:\n‎ After verification, a secure, persistent channel can be deployed by issuing the following:\n‎ With the dev tunnel active, all the attacker has to do is bind the channel to their C2 listener port on the same host machine [4]. Now, the control server and infected devices will direct all C2 traffic through a trusted proxy hosted within Microsoft’s Azure cloud infrastructure.\nIt is worth noting that regardless of the actual traffic direction or protocol being used, the tunnel always presents itself to the victim’s network as outbound TLS traffic. This means that even when an adversary is actively connecting inbound to a victim’s system, the connection appears in network logs and monitoring tools as a standard outbound HTTPS connection originating from the victim’s network [11].\nMITRE ATT\u0026amp;CK S0385 - njRAT This campaign utilizes a variant of the njRAT Remote Access Trojan.\nTA0011 - Command and Control (C2) Following system infection, njRAT will contact a control server awaiting instructions from an attacker. It can be configured to choose from a list of attacker-owned servers.\nT1572 - Protocol Tunneling Using the Microsoft dev tunnel service, infected system outreach, data exfiltration, and malicious commands from the control server occur over disposable, encrypted channels, making it harder for traditional security systems to spot and implement effective preventions.\nT1547.001 - Registry Run Keys / Startup Folder On infected Windows systems, this variation of njRAT creates a registry value entry under the ‘Software\\Microsoft\\Windows\\CurrentVersion\\Run\\’ key path. To achieve persistence across reboots, the malicious program references itself using this “run key\u0026quot;, executing each time a user logs in.\nT1082 - System Information Discovery The malware performs enumeration of the infected host. It checks the OS version, supported languages, hostname, registry GUID, and other information that is then sent to the control server [2].\nT1091 - Replication Through Removable Media njRAT will attempt to detect any removable drives connected to the system. If found, the malware will create a standalone copy of itself to that drive.\nIndicators of Compromise (IOCs) SHA-256 Hashes 0b0c8fb59db1c32ed9d435abb0f7e2e8c3365325d59b1f3feeba62b7dc0143ee 9ea760274186449a60f2b663f535c4fbbefa74bc050df07614150e8321eccdb7 cb2d8470a77930221f23415a57bc5d6901b89de6c091a3cfbc563e4bf0e7b4eb c0513783d569051bdc230587729b1da881f7032c2ad6e8fedbbdcc61d813da25 Associated Filenames dsadasfjamsdf.exe c3df7e844033ec8845b244241c198fcc.exe Registry Key Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\af63c521a8fa69a8f1d113eb79855a75 IP Addresses 20.103.221[.]187 C2 URLs hxxps://nbw49tk2-27602.euw.devtunnels[.]ms/ hxxps://nbw49tk2-25505.euw.devtunnels[.]ms/ Dev Tunnel Domain Formats global.rel.tunnels.api.visualstudio.com [clusterId].rel.tunnels.api.visualstudio.com [clusterId]-data.rel.tunnels.api.visualstudio.com *.[clusterId].devtunnels.ms *.devtunnels.ms Recommendations Monitor DNS Traffic for Dev Tunnel URLs Organizations not using dev tunnels should keep an eye on DNS logs for any unexpected dev tunnel URLs (typically ending in “.devtunnels.ms”) that may indicate potential C2 communication [5]. IDS/IPS rules should be applied to automatically alert or block this traffic.\nBeware of USB Devices This variant, as well as previous versions of njRAT, has the ability to detect and spread to external hard drives connected via USB. Users should exercise caution when interacting with unknown USB devices. For critical systems, it may also be advised to locally disable the use of external storage hardware.\nUse EDR/Host-Based IDS The malware’s use of dev tunnels can blend its traffic with normal activity, rendering network intrusion detection efforts less effective. Configuring endpoint protection solutions to detect and flag the use of Microsoft-signed binaries (e.g., devtunnel.exe) by anomalous parent processes or modifications to the auto-run registry can offer another layer of defense to address this gap [5].\nNetwork Segmentation Botnet malware like njRAT spreads primarily via ‘spray and pray\u0026rsquo; orchestration, typically infecting internet-facing devices that lack proper security controls. IoT devices, poorly configured web servers, and routers with deprecated firmware make up a sizable portion of modern botnet infrastructure. If security patches or hardening cannot be applied to such systems, isolating them from the main home or enterprise network is imperative to prevent lateral movement to critical systems.\nStay Informed on the Latest TTPs As threat actors become more innovative in their detection evasion and exfiltration techniques, security analysts must remain up to speed with the ongoing changes of an evolving threat landscape.\nReferences [1] ANY.RUN. (March 9, 2025). NJRAT. https://any.run/malware-trends/njrat\n[2] ANY.RUN. (February 27, 2025). dsadasfjamsdf.exe Sandbox Analysis. https://app.any.run/tasks/c01ea110-ecbf-483a-8b0f-d777e255ad9c\n[3] ANY.RUN. (March 9, 2025). Malware Trends Tracker. https://any.run/malware-trends/\n[4] Au, C. (August 9, 2023). Microsoft Dev Tunnels as C2 Channel. https://www.netero1010-securitylab.com/red-team/microsoft-dev-tunnels-as-c2-channel\n[5] Baran, G. (February 28, 2025). Njrat Attacking Users Abusing Microsoft Dev Tunnels for C2 Communications. https://cybersecuritynews.com/njrat-attacking-abusing-microsoft-dev/\n[6] BlueteamOps. (Oct 23, 2023). Detecting ‘Dev Tunnels.’ https://detect.fyi/detecting-dev-tunnels-16f0994dc3e2\n[7] Check Point. (August 15, 2023). What is NJRat Malware? https://www.checkpoint.com/cyber-hub/threat-prevention/what-is-malware/what-is-njrat-malware/\n[8] Mertens, X. (February 27, 2025). Njrat Campaign Using Microsoft Dev Tunnels. https://isc.sans.edu/diary/Njrat%20Campaign%20Using%20Microsoft%20Dev%20Tunnels/31724\n[9] Microsoft. (November 17, 2023). What are dev tunnels? https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview\n[10] Montemagno, J. (February 5, 2024) Dev Tunnels: A Game Changer for Mobile Developers. https://devblogs.microsoft.com/dotnet/dev-tunnels-a-game-changer-for-mobile-developers/\n[11] Rossouw, F. (December 5, 2024). Malware of the Day – Tunneling Havoc C2 with Microsoft Dev Tunnels. https://www.activecountermeasures.com/malware-of-the-day-tunneling-havoc-c2-with-microsoft-dev-tunnels/\n","permalink":"https://iw-sec.github.io/posts/devtunnels-advisory/","summary":"Activity surrounding a new malware campaign\u0026rsquo;s use of the Microsoft\u0026rsquo;s Dev tunnels service and the implications it has on the evolving threat landscape.","title":"Malware Campaign Exploits Microsoft Dev Tunnels"},{"content":"Targeted Entities Industries: Any (Opportunistic) Operating Systems: Windows, macOS, and Linux Introduction Written primarily in Golang, SparkRAT is a feature-rich, multi-platform Remote Administration Tool (RAT) that allows for the granular control of infected devices via web interface [11]. It was first published on GitHub in March of 2022 by elusive, Chinese-speaking developer XZB-1248. However, the project went largely unnoticed until gaining steady popularity in early 2023. Since then, the tool has been observed in numerous threat campaigns, including those carried out by cybercriminal groups Winnti and DragonSpark, as well as its involvement in the Hello Kitty and TellYouThePass ransomware attacks [6].\nLike most Remote Access Toolkits, SparkRAT has been widely leveraged by threat actors for post-exploitation operations, typically being installed after the payload delivery and initial compromise. Most notably, the tool has been used in conjunction with several critical vulnerability exploits: CVE-2023-46604, CVE-2024-27198, and CVE-2024-43451 [1][3][4]. After a period of dormancy, SparkRAT resurfaced in January, with security researchers at Hunt.io detecting new C2 servers and hints of a possible DPRK campaign targeting macOS users [7].\nSparkRAT Observed in DPRK Campaign In a Twitter post by threat intelligence expert, Germán Fernández (@1ZRR4H) back in November 2024, a cyber espionage campaign attributed to the North Korean government was revealed, targeting macOS users and government organizations [5]. The threat actors behind this operation were reportedly distributing SparkRAT agents via fake online meeting platforms. Upon further investigation, researchers at Hunt.io and Cato Networks have recently identified additional C2 servers in South Korea and Singapore [2]. The findings suggest that this campaign is still active, although with a slight change in strategy and payload delivery method.\nInterestingly, these uncovered C2 server domains were found to have open directories containing SparkRAT implants and bash scripts. Below are screenshots of an exposed directory and the content of its hosted scripts.\nScreenshot of hxxps://gmcomamz[.]site/dev (Source: Hunt.io) Curl results from hxxps://gmcomamz[.]site/dev/dev.sh The bash script above downloads the Mach-O binary file (client.bin) from the hosting domain (updatetiker[.]site), saves it as “pull.bin” to the /Users/shared directory, changes its permissions to allow reading, writing, and execution by all system users, and runs the file as a background process. This is typical behavior of malware hosting servers.\nThe behavior of the test.sh script is similar, however, it points to another domain which has also been found to host SparkRAT agents (clients):\nCurl results from hxxps://gmcomamz[.]site/dev/test.sh SparkRAT Analysis SparkRAT Web Interface Accessed through a browser, the SparkRAT Web UI provides an overview of active remote sessions along with system information of each connected machine. In addition to the basic operations listed below, the tool’s interface comes with several additional capabilities such as viewing a live instance of the victim’s screen, taking screenshots, and remote shutdown.\nClient Creation Generate Client creates an executable file that, when executed on a target machine, will create a backdoor connection with the associated C2 system. Clients can be customized to point to different hosts, connect over a specified port, and run on different operating systems (Windows, macOS/Darwin, and Linux).\nRemote Terminal Window As one would expect, the Terminal feature allows for attackers to execute commands on a target machine via a web-based PowerShell GUI. If used in combination with remote privilege escalation, attackers can carry out system-level operations like disabling the firewall, modifying registry keys, and disabling antivirus software.\nProcess Manager The Process feature lists all running processes as well as the ability to stop them. This can be used to terminate security/monitoring software.\nFile Manager Tool Explorer allows attackers to enumerate, create, and delete files/directories on the target system. It also allows files/directories to be downloaded to the attacker\u0026rsquo;s local machine or uploaded to the target machine.\nWireshark capture showing initial client-C2 communication In this exchange, captured shortly after the execution of a SparkRAT agent, the target system sends a request to upgrade its connection to use the WebSocket protocol. A WebSocket handshake over port 8000 is a key characteristic of SparkRAT command-and-control (C2) traffic.\nClient POST request to update SparkRAT version Following the WebSocket handshake, the target system sends a POST request with the commit query parameter storing the current version of the tool. This enables the RAT to automatically upgrade itself to the latest version available on the C2 server [10]. It is also worth noting the unusual User-Agent string as well as the JSON return value indicating that this client is using the latest SparkRAT version that the server can offer.\nMITRE ATT\u0026amp;CK T1059 - Command and Scripting Interpreter Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.\nT1571 - Non-Standard Port Adversaries may communicate using a protocol and port pairing that are typically not associated.\nT1005 - Data from Local System Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.\nT1071.001 - Application Layer Protocol: Web Protocols (C2) Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Protocols such as HTTP/S and WebSocket that carry web traffic may be very common in environments.\nT1105 - Ingress Tool Transfer (C2) Adversaries may transfer tools or other files from an external system into a compromised environment.\nT1573.001 - Symmetric Cryptography (C2) Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.\nT1082 - System Information Discovery An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\nT1083 - File and Directory Discovery Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.\nT1106 - Native API Adversaries may interact with the native OS application programming interface (API) to execute behaviors.\nIndicators of Compromise (IOCs) SHA-256 Hashes fcf9b70253437c56bb00315da859ce8e40d6410ec405c1473b374359d5277209 3bfb4f5c328d57b647ba81045eae223ff292f0caa216fee97e98127b2934c6b0 cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56 9c4d6d66dcef74f4a6ce82369830a4df914becd7eb543bdcc5d339b7b3db254b 52277d43d2f5e8fa8c856e1c098a1ff260a956f0598e16c8fb1b38e3a9374d15 ffe4cfde23a1ef557f7dc56f53b3713d8faa9e47ae6562b61ffa1887e5d2d56e 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 f015f91722c57cdb7ee61d947fb83f395d342e3d36159f7a470e23b6c03681bf 5802d266c6fd8f45323b7d86d670059f1bd98de42a173fbc2ac66399b9783713 Associated Filenames msoia.exe client.bin client.exe 3261cbac9f0ad69dd805bfd875eb0161.exe one68_1_1.0.apk IP Addresses 67.217.62[.]106 152.32.138[.]108 15.235.130[.]160 118.194.249[.]38 51.79.218[.]159 37.230.62[.]73 Domains gsoonmann[.]site gmnormails[.]site gmoonsom[.]site nasanecesoi[.]site gmoocsoom[.]site gmcomamz[.]site namerowem[.]site gmoosomnoem[.]site mncomgom[.]site ggnmcomas[.]site updatetiker[.]net updatetiker[.]site gomncomow[.]site gooczmmnc[.]site gnmoommle[.]space one68[.]top remote[.]henh247[.]net remote[.]henho247[.]net Recommendations Exercise Good Cyber Hygiene The easiest, most effective way to prevent system compromise via Remote Access Trojans like SparkRAT is to simply practice good cyber hygiene. This includes not opening unknown files, being suspicious of email attachments from untrusted sources, avoiding downloading software from unofficial websites, and regularly updating operating systems.\nIsolated Virus Scans Performing a malware detection scan (via crowdsourced tools like VirusTotal or antivirus software like Microsoft Defender’s custom scan option) on an untrusted file before executing it can be an easy way to verify its legitimacy. Fortunately, most AV solutions are privy to common SparkRAT indicators and will prevent infected files from executing. However, custom malware leveraging the tool may go undetected. If further analysis is required, it is advised to run any suspected file within a sandbox environment to examine its behavior.\nUpdate Virus Signatures Ensuring that endpoint solutions and antivirus software are up to date with the latest virus signatures is crucial for detecting and quarantining known variations of SparkRAT malware. Signature databases used by AV software are typically populated with new signatures when applying the latest security patches. For this reason, it is recommended to frequently update (daily) or configure automatic system/application updates.\nActive Network Monitoring A system infected with SparkRAT malware establishes a connection to its C2 server via WebSocket, a web-based application protocol that enables full-duplex communication between client and server [8]. Though sometimes used by legitimate software, such as instant messengers and multiplayer games, the use of this protocol over port 8000 (the default port for SparkRAT agents) could be a strong indicator of SparkRAT activity. To detect this traffic, network monitoring and deep packet inspection tools can be deployed to look for abnormal connections over port 8000, WebSocket handshakes by unknown applications, and JSON error messages indicative of SparkRAT C2.\nStay Informed As SparkRAT gains traction, it is likely to be featured in future malware campaigns. Thankfully, threat hunters and intelligence agencies are vigilantly discovering and sharing IOCs linked to the tool. Engaging with threat intel networks and staying aware of new SparkRAT trends will allow for better preparation of systems and aid in detection efforts of emerging threats.\nReferences [1] Arctic Wolf. (November 3, 2023). Exploitation of CVE-2023-46604 in Apache ActiveMQ Leads to TellYouThePass Ransomware. https://arcticwolf.com/resources/blog/tellmethetruth-exploitation-of-cve-2023-46604-leading-to-ransomware/\n[2] Bittner, D. (Jan 29, 2025). Cats and RATS are all the rage. https://thecyberwire.com/podcasts/daily-podcast/2234/transcript\n[3] Broadcom (January 31, 2025). SparkRAT - a cross-platform modular malware. https://www.broadcom.com/support/security-center/protection-bulletin/sparkrat-a-cross-platform-modular-malware\n[4] ClearSky (November 13, 2024). CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild. https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/\n[5] Fernández, G. (Nov 27, 2024). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://x.com/1ZRR4H/status/1861667506328334589/\n[6] Fortinet. (February 13, 2024). Threat Coverage: How FortiEDR protects against SparkRAT activity. https://community.fortinet.com/t5/FortiEDR/Threat-Coverage-How-FortiEDR-protects-against-SparkRAT-activity/ta-p/299271\n[7] Hunt.io. (Jan 28, 2025). SparkRAT: Server Detection, macOS Activity, and Malicious Connections. https://hunt.io/blog/sparkrat-server-detection-macos-activity-and-malicious-connections\n[8] IETF. (Dec 2011). The WebSocket Protocol. https://datatracker.ietf.org/doc/html/rfc6455\n[9] Mishra, A. (Jan 29, 2025). Hackers Attacking Windows, macOS, and Linux systems With SparkRAT. https://gbhackers.com/hackers-attacking-windows-macos-and-linux-systems/\n[10] SentinelLabs. (Jan 24, 2023) DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation. https://www.sentinelone.com/labs/dragonspark-attacks-evade-detection-with-sparkrat-and-golang-source-code-interpretation/\n[11] XZB-1248. (Mar 16, 2022). SparkRAT GitHub Repository. https://github.com/XZB-1248/Spark\nAdditional Resources Open Threat Exchange. “SparkRAT”. https://otx.alienvault.com/browse/global/pulses?q=SparkRAT\u0026amp;include_inactive=0\u0026amp;sort=-modified\u0026amp;page=1\u0026amp;limit=10\u0026amp;indicatorsSearch=SparkRAT\nMalpedia. “SparkRAT”. https://malpedia.caad.fkie.fraunhofer.de/details/win.spark_rat\nThreatFox. SparkRAT IOCs. https://threatfox.abuse.ch/browse/malware/win.spark_rat/\nHybrid Analysis. client.bin Sandbox Report. https://www.hybrid-analysis.com/sample/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56\nVirusTotal. client.bin Scan. https://www.virustotal.com/gui/file/cd313c9b706c2ba9f50d338305c456ad3392572efe387a83093b09d2cb6f1b56\n","permalink":"https://iw-sec.github.io/posts/sparkrat-advisory/","summary":"A brief analysis of the tool and its resurgence in a recent North Korean espionage campaign targeting macOS devices and government officials.","title":"SparkRAT: A Multi-Platform Remote Access Tool"},{"content":"hi\n","permalink":"https://iw-sec.github.io/posts/first-post/","summary":"\u003cp\u003ehi\u003c/p\u003e","title":"First Post"}]