Spark

Spark is a backdoor Trojan that's in use by the Molerats, an Arabic-speaking threat actor. While its payload is custom with many elements unknown, victims should expect attacks involving collecting information, letting attackers issue system commands, and the downloading of other threats. Users should interact with e-mail links and attachments carefully and have their anti-malware products delete Spark after experiencing infections.

A Spark that's Been Going Longer than One Might Think

While its Enigma Protector-obfuscated variant, EnigmaSpark, is a recent iteration, the Trojan that EnigmaSpark bases itself on is years older. Arriving in 2017 during the Operation Parliament campaign, Spark is a backdoor Trojan with features that are, in many cases, question marks to the cyber-security industry. Many of its attacks are surmisable circumstantially and comparable to other backdoor Trojans. However, Spark is distinguishable by its rotational keyword commands, many of which leverage unanalyzed capabilities.

Spark is Black Hat software that's specific to the broad Molerats group of hackers, which focuses on targeting entities in the Middle East. Its delivery method always uses e-mail in some capacity, with embedded links to corrupted downloads or attachments serving as the infection vectors. Different versions of Spark are just as flexible as their keyword lists, with installation methods that may or may not download the payload from an attacker's server, along with using uniquely-encrypted keys for their C&C communications.

The aftereffects of Spark infections include the following security issues, at a minimum:

• Attackers may collect data from the user by accessing their microphone or logging keystrokes.
• The Trojan may execute arbitrary system commands (for opening or deleting files, for instance).
• Spark may download other threats for more-specific functions, such as collecting passwords from browser forms.

Although not exclusive to them, most targets of Spark attempted installations as of 2020 are recipients with interests in Middle Eastern politics, such as Palestinean peace negotiations. Prospective victims may expect spear-phishing attacks using Arabic language contents accordingly, in many cases.

Catching a Spear before It Lands a Hot Blow

The spear-phishing attempts related to Spark infections that malware experts can verify are more, in a majority of cases, targeting the traditional intelligence assets, such as government networks. A minority, however, occupy unusual industries, such as insurance and retail businesses. Schemes for installing the backdoor Trojan show a similar diversity, ranging from nude photograph blackmail to fake news articles. Additionally, the use of a 'splash screen' in some cases is prominent visually and requires the user's clicking the screen before Spark installs (which dodges some analysis and security features).

For preventing infections, users should avoid clicking on links that lead to suspicious files, such as RAR archives with compressed executable. Attached documents are a more likely source of compromise, however, and, often, use macros calling for the user's permission. Disabling macros by default and not enabling them under questionable circumstances will remove most of the risk of a Spark installation. Password protection in documents should not be taken as a sign of safety and is a noted characteristic in some of Spark's campaigns.

Users also should update their anti-malware products' databases as appropriate for catching new threats. While attribution of Spark activity goes back to 2017, it receives ongoing development, and only similarly-updated anti-malware services may remove Spark properly.

Backdoor Trojans are the workhorses of the Internet-age information collection industry. While Spark's job is inglorious, the features it gives to hackers are comparable to burglars holding the keys to a bank, with the added benefit of nigh-invisibility.