Skip to content

S0543 Spark

Spark is a Windows backdoor and has been in use since as early as 2017.1

Item Value
ID S0543
Associated Names
Version 1.1
Created 15 December 2020
Last Modified 18 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Spark has used HTTP POST requests to communicate with its C2 server to receive commands.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Spark can use cmd.exe to run commands.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Spark has encoded communications with the C2 server with base64.1
enterprise T1140 Deobfuscate/Decode Files or Information Spark has used a custom XOR algorithm to decrypt the payload.1
enterprise T1041 Exfiltration Over C2 Channel Spark has exfiltrated data over the C2 channel.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing Spark has been packed with Enigma Protector to obfuscate its contents.1
enterprise T1082 System Information Discovery Spark can collect the hostname, keyboard layout, and language from the system.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Spark has checked the results of the GetKeyboardLayoutList and the language name returned by GetLocaleInfoA to make sure they contain the word “Arabic” before executing.1
enterprise T1033 System Owner/User Discovery Spark has run the whoami command and has a built-in command to identify the user logged in.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.002 User Activity Based Checks Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.1

Groups That Use This Software

ID Name References
G0021 Molerats 1 2