Tag: SparrowDoor

  • FamousSparrow Hackers Enhance Cyber Attacks with Modular Backdoor

    FamousSparrow Hackers Enhance Cyber Attacks with Modular Backdoor

    A China-linked cyberespionage group known as FamousSparrow has been identified using an upgraded version of its backdoor malware, SparrowDoor, in attacks against a United States-based trade organization, according to security researchers at ESET. This new activity marks a significant increase in the group’s operations since their methods were scrutinized in 2022.

    The recent attacks also targeted a Mexican research institute and a government institution in Honduras, with ESET finding that initial access to the networks was gained through the exploitation of outdated Microsoft Exchange and Windows Server endpoints. In these incidents, the attackers deployed webshells to facilitate further infiltration.

    Analysis by ESET determined that two new versions of the SparrowDoor backdoor have been deployed, showcasing improvements in code quality and architecture. Notably, these upgrades include enhanced configuration encryption, persistence mechanisms, and a significant feature allowing parallel command execution. This capability enables the malware to process multiple commands simultaneously, thus increasing its operational efficiency and evasion tactics.

    Furthermore, the latest version of SparrowDoor features a modular design, allowing it to load plugins from command-and-control (C2) servers at runtime. These plugins expand the malware’s capabilities, enabling functionalities such as keylogging, proxying, file transfer, and process manipulation. Security experts suggest that FamousSparrow’s connection to the ShadowPad remote access trojan (RAT) indicates that they now have access to advanced cyber tools typically associated with state-sponsored Chinese actors.

    Consequently, this has raised concerns about the potential risk posed by FamousSparrow and similar groups, as Microsoft has classified them within a broader threat cluster, referred to as Salt Typhoon. The evidence suggests a shared infrastructure among these groups, indicating a possible digital supply chain that facilitates cyberattacks targeting various sectors globally.

  • New Variants of SparrowDoor Malware Linked to Chinese Threat Actor FamousSparrow

    New Variants of SparrowDoor Malware Linked to Chinese Threat Actor FamousSparrow

    The infamous Chinese hacking group known as FamousSparrow has been identified as the culprit behind a recent cyber attack targeting a trade organization in the United States and a research institution in Mexico. This operation is notable for the deployment of two newly discovered variants of the SparrowDoor backdoor, as well as the use of ShadowPad, a malware often associated with Chinese state-sponsored actors.

    According to a report by ESET, the attack, which took place in July 2024, marks the first time FamousSparrow has utilized ShadowPad in its operations. ESET described the new SparrowDoor variants as indicative of significant advancements, including improved command parallelization capabilities. This suggests that the threat actor is continuously honing its tools to bypass security measures.

    FamousSparrow was initially documented in September 2021, with earlier activities linked to various attacks on hotels, government entities, and construction firms. Previous reports have suggested connections between FamousSparrow and other threat groups like Earth Estries and Salt Typhoon, although ESET treats it as a distinct entity in the cyber threats landscape. Their technique involves deploying a web shell on compromised Internet Information Services (IIS) servers, facilitating unauthorized access to sensitive networks.

    The attack chain reportedly leverages outdated Windows Server and Microsoft Exchange Server versions among the victims, exposing them to critical vulnerabilities. Once the web shell is operational, it executes remote commands, launching the SparrowDoor and ShadowPad backdoors. Notably, the latest SparrowDoor variant carries enhancements that permit simultaneous command execution, thus improving its operational efficiency.

    Researchers are keeping a close eye on FamousSparrow as they note that the group appears to be actively developing new iterations of their malware, highlighting their ongoing threat. As cybersecurity experts continue to unravel the evolving landscape of cybercrime, vigilance and adaptive strategies will be vital to safeguard against such persistent threats.