ESET researchers have uncovered new activity from the China-aligned APT group FamousSparrow, deploying two previously undocumented versions of their custom SparrowDoor backdoor.
The group, presumed inactive since 2022, has been observed targeting a trade organization in the U.S. financial sector and a research institute in Mexico.
Sophisticated Malware Evolution and Expanded Toolkit
The newly discovered SparrowDoor variants demonstrate significant advancements in code quality and architecture compared to earlier versions.
Key improvements include the parallelization of time-consuming commands, allowing for simultaneous execution of file I/O operations and interactive shell sessions.
This enhancement enables the backdoor to handle new commands while lengthy tasks are still in progress.
One variant closely resembles the CrowDoor malware attributed to the Earth Estries APT group, while the other introduces a modular architecture.
The modular version implements a plugin system, with only one default plugin installed for handling the addition of new plugins sent by the command and control (C&C) server.
In a notable development, FamousSparrow has incorporated the ShadowPad backdoor into its arsenal for the first time.
ShadowPad, a privately sold malware known to be exclusively supplied to China-aligned threat actors, was deployed using a loader bearing similarities to those previously documented by Cisco Talos.
Expanded Target Profile and Infrastructure
While FamousSparrow was initially known for targeting hotels worldwide, the group has broadened its focus to include governments, international organizations, engineering companies, and law firms.
The recent campaign also targeted a governmental institution in Honduras, indicating an expansion of the group’s geographical interests.
The attackers utilized a mix of custom and publicly available tools for initial access and lateral movement.
According to the Report, these included a .NET webshell for establishing persistence, the open-source PowerHub post-exploitation framework, and the BadPotato privilege escalation technique.
The group also employed a modified version of the open-source Spark RAT and tools for dumping LSASS memory.
FamousSparrow’s resurgence with enhanced malware capabilities and an expanded toolkit underscores the persistent threat posed by sophisticated APT groups.
Organizations in targeted sectors should remain vigilant and implement robust security measures to defend against such evolving threats.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
.webp?w=1200&resize=1200,0&ssl=1&description=ESET researchers have uncovered new activity from the China-aligned APT group FamousSparrow, deploying two previously.){kind=link}