After a long period of dormancy, the Chinese hacker group FamousSparrow is active again. According to the IT security company ESET, the group has become increasingly dangerous and has deployed new, sophisticated espionage tools.
Their attacks target prominent organizations in the US, Mexico and Honduras, including government agencies and companies in the financial sector.
Hidden danger: New malware versions discovered
As part of its analysis, ESET discovered two unknown variants of the infamous SparrowDoor backdoor. These new versions show significant technical advances, particularly in terms of modular extensibility and the parallelization of commands. This allows attackers to control compromised systems even more efficiently.
“Although these new versions show significant improvements, they can still be directly traced back to earlier, publicly documented versions. The loaders used in these attacks also have significant code overlaps that bear the signature of FamousSparrow,” explains Alexandre Côté Cyr, the ESET security researcher behind the analyses.
ShadowPad and Web Shell: New tactics of the hacker group
One of the most striking innovations in the attacks is the first-time use of the “ShadowPad” backdoor. This sophisticated espionage tool is usually sold exclusively to hackers with connections to China and is considered particularly dangerous. The hackers also used a web shell to gain access to the affected networks. They exploited vulnerabilities in outdated versions of Windows Server and Microsoft Exchange.
In addition to its own tools, FamousSparrow also used malware associated with other APT groups allied with China. The aim of the attacks was to install the “SparrowDoor” and “ShadowPad” backdoors in order to gain full control of the target devices.
FamousSparrow – A growing threat
FamousSparrow first came to light in 2021 when the group exploited the ProxyLogon vulnerability and targeted hotels worldwide. Since then, however, its target area has expanded significantly. Today, governments, technology companies and law firms are also affected.
An earlier report linked FamousSparrow to other APT groups such as GhostEmperor and Salt Typhoon. However, ESET’s new research refutes this assumption.
“We see GhostEmperor and FamousSparrow as two different groups. There is little overlap between the two, but many discrepancies. Based on our data and analysis of publicly available reports, FamousSparrow appears to be a separate group with loose links to the others,” Côté Cyr continues.
Conclusion
FamousSparrow remains a serious cyber security threat. Its advanced attack tactics and use of sophisticated malware make it a growing threat to organizations worldwide.
For more information, see the blog post “You’ll never forget the day you caught FamousSparrow” on WeLiveSecurity.com.
(vp/ESET Deutschland GmbH)