HQ/EMEAFind out how we can help your business
The alleged China-backed FamousSparrow cyberespionage group allegedly uses a new modular version of its signature backdoor ‘SparrowDoor’ to target a US-based trade organisation.
Researchers discovered new evidence that the threat actor has been more active than usual since its last operations were reported in 2022. Aside from the financial organisation, reports revealed that additional recent attacks, including on a Mexican research centre and a Honduran government institution, have been attributed to the group.
In all of these incidents, initial access was obtained by exploiting outdated MS Exchange and Windows Server endpoints and infecting them with webshells.
SparrowDoor: the new tool for the FamousSparrow gang.
According to investigations, the FamousSparrow gang’s new Sparrow backdoor has two new variants.
The first is identical to a backdoor credited to ‘Earth Estries,’ with improved code quality, architecture, encrypted configuration, persistence methods, and stealthy C2 switching.
Moreover, the researchers noted that the crucial new feature that applies to both new strains is the parallel command execution tactic. This new capability allows the backdoor to continue listening for and processing incoming commands while executing prior ones.
The most recent variant represents the most significant changes, as it is a modular backdoor with a plugin-based architecture. In addition, it may receive new plugins from the attacker-controlled command-and-control server during runtime and load them entirely in memory. Hence, this could enhance its operating capabilities while remaining evasive and quiet.
Furthermore, the confirmed capabilities of these new plugins include shell access, file system manipulation, keylogging, proxying, screenshot capturing, file transfer, process listing and killing, and ShadowPad connection.
Another notable finding is FamousSparrow’s use of ShadowPad, a versatile modular remote access trojan (RAT) linked to various Chinese APTs. In the attacks the researchers saw, ShadowPad was loaded via DLL sideloading from a renamed Microsoft Office IME executable.
The executable is injected into the Windows media player process and connected to a known C2 server associated with the RAT. This detail suggests that FamousSparrow, like other state-sponsored entities, may now have access to advanced Chinese cyber tools.
Chinese-backed cybercriminal organisations could execute more sophisticated attacks as they have rich resources provided by their state.
