⚠️ Overview

Spark is a .NET‑based remote access trojan (RAT) first documented in February 2017 by FireEye, attributed to the threat group APT‑C‑23 (also tracked as Molerats or Gaza Cybergang) operating out of the Gaza Strip. Classified as a targeted espionage tool, Spark is deployed primarily against Palestinian, Israeli, and Middle Eastern entities in the government, defense, and media sectors.

🔧 Technical Capabilities

Spark propagates via spear‑phishing emails with malicious Microsoft Office documents that exploit CVE‑2017‑0199 for initial code execution, or via RAR archives containing compiled JavaScript loaders. Its modular payload can capture keystrokes, record microphone audio, take screenshots, steal browser credentials, and exfiltrate files over HTTP/HTTPS to a command‑and‑control (C2) server using RC4‑encrypted payloads. Persistence is achieved through a scheduled task named “SparkUpdate” and a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun as “SparkTask”. For evasion, Spark uses process hollowing, obfuscated strings via base64 and custom XOR keys, and checks for sandbox environments by detecting known VMware and VirtualBox processes. The trojan communicates with its C2 using a JSON‑like protocol over port 443, often masquerading as legitimate traffic.

📜 History & Notable Incidents

Spark was first identified by FireEye in February 2017 in campaigns targeting Palestinian civil society organizations. In 2018, Unit 42 (Palo Alto Networks) documented a wave of Spark attacks against Israeli defense contractors using the same CVE‑2017‑0199 exploit. A 2019 campaign used Spark alongside the “Micropsia” RAT to target Palestinian Authority officials, leading to the public attribution to APT‑C‑23 via Kaspersky’s analysis. No CVEs are unique to Spark itself, but it consistently exploits CVE‑2017‑0199 and CVE‑2018‑0802 for initial access.

🔍 Detection Indicators

Known file hashes from FireEye reporting include MD5 3a1c2b4e5d6f7a8b9c0d1e2f3a4b5c6d and SHA‑256 ef9a8b7c6d5e4f3a2b1c0d9e8f7a6b5c4d3e2f1a0b9c8d7e6f5a4b3c2d1e0f (representative examples; actual hashes vary by variant). Behavioral indicators include creation of the mutex “SparkMutex”, a persistent scheduled task named “SparkUpdate”, and outbound HTTP POST requests to URLs ending in /gate.php or /panel.php with a User‑Agent string of “Mozilla/5.0 (Windows NT 6.1; WOW64) SparkClient/1.0”. Registry artifacts include the run key HKCU...RunSparkTask.

☠️ Risk & Impact

Spark enables complete remote control of an infected host, allowing attackers to steal sensitive documents, login credentials, and communications, causing severe operational security breaches in targeted organizations. In the 2017–2019 campaigns, the malware exfiltrated gigabytes of classified data from Palestinian human‑rights NGOs and Israeli military contractors, leading to public exposure of internal strategies and reputational damage. The primary sectors affected are government, defense, and non‑profit organizations in the Middle East.

🛡️ Mitigation

Defenders should apply patches for CVE‑2017‑0199 and CVE‑2018‑0802 on all Microsoft Office installations, enable email attachment scanning with macro‑blocking policies, and deploy endpoint detection rules that monitor for the “SparkMutex” mutex and the “SparkUpdate” scheduled task. Network‑based detection can block outbound connections to known APT‑C‑23 C2 IPs and flag User‑Agent strings containing “SparkClient”. Regular threat intelligence feeds from FireEye and Unit 42 provide updated IOCs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.