S0543 Spark
Spark is a Windows backdoor and has been in use since as early as 2017.1
| Item | Value |
|---|---|
| ID | S0543 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 15 December 2020 |
| Last Modified | 18 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Spark has used HTTP POST requests to communicate with its C2 server to receive commands.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Spark can use cmd.exe to run commands.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Spark has encoded communications with the C2 server with base64.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Spark has used a custom XOR algorithm to decrypt the payload.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Spark has exfiltrated data over the C2 channel.1 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | Spark has been packed with Enigma Protector to obfuscate its contents.1 |
| enterprise | T1082 | System Information Discovery | Spark can collect the hostname, keyboard layout, and language from the system.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Spark has checked the results of the GetKeyboardLayoutList and the language name returned by GetLocaleInfoA to make sure they contain the word “Arabic” before executing.1 |
| enterprise | T1033 | System Owner/User Discovery | Spark has run the whoami command and has a built-in command to identify the user logged in.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.002 | User Activity Based Checks | Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0021 | Molerats | 1 2 |
References
-
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. ↩