- ESET discovers multiple new variants of SparrowDoor, a piece of malware used by FamousSparrow
- The investigation uncovered group’s activity between 2022-2024
- It was targeting government agencies, researchers, and financial institutions
FamousSparrow, a Chinese state-sponsored threat actor thought to be retired, is not only active, but has been targeting government, financial organizations, and research institutes, for years now, experts have revealed.
Cybersecurity researchers at ESET recently stumbled upon a new variant of FamousSparrow’s malware, leading them down a rabbit hole exposing the group’s activities across the globe.
ESET said that it was brought in by an unnamed trade group in the United States, operating in the financial sector, to assist with a malware infection. The investigators found two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor.
SparrowDoor
ESET said that the group hasn’t been heard of since 2022, which made the cybersecurity community think it was inactive.
However, during that period, FamousSparrow targeted a government institution in Honduras, and a research institute in Mexico.
In fact, the latter was breached “just a couple of days prior to the compromise in the US” (both had happened in July 2024).
“Both of these versions of SparrowDoor constitute marked progress over earlier iterations, especially in terms of code quality and architecture, and one implements parallelization of commands,” ESET said.
“While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow,” says ESET researcher Alexandre Côté Cyr, who made the discovery.
The investigators said they couldn’t determine the initial infection vector, but added that the company used outdated versions of Windows Server and Microsoft Exchange, both of which have multiple, publicly available exploits.
Whichever vulnerability they used, FamousSparrow deployed a webshell on an IIS server, gaining access and the ability to deploy additional payloads.
Besides SparrowDoor, the group used ShadowPad, and other tools capable of running commands, keylogging, exfiltrating files, taking screenshots, and more.
Leave a comment