In a significant development within the cybersecurity landscape, the Advanced Persistent Threat (APT) group known as FamousSparrow has re-emerged after a period of dormancy since 2022. This resurgence is marked by the deployment of two newly identified versions of their proprietary backdoor, SparrowDoor, aimed at organizations within the financial sector and research institutions across various countries.
The reactivation of FamousSparrow was first detected in July 2024 by ESET researchers during an investigation into anomalous activities on the systems of a U.S.-based trade group operating within the financial sector. This discovery underscores the group’s sustained operations and their commitment to enhancing their cyber-espionage capabilities.
Technical Evolution of SparrowDoor
The latest iterations of SparrowDoor exhibit significant advancements in both code quality and architectural design. A notable enhancement is the implementation of command parallelization, allowing the backdoor to process multiple commands simultaneously. This multi-threaded approach ensures that time-intensive operations, such as file input/output and interactive shell sessions, do not impede the execution of new commands.
Upon receiving parallelized commands, SparrowDoor initiates new threads that establish separate connections to the command-and-control (C&C) server. Each connection transmits the victim’s unique identifier along with a command identifier, enabling the C&C server to efficiently manage and track activities associated with each compromised system.
Persistence Mechanisms
To maintain a foothold within compromised systems, SparrowDoor employs robust persistence mechanisms. These include the creation of a service named K7Soft, configured to execute automatically upon system startup, and the establishment of a registry Run key bearing the same name. These strategies ensure the backdoor’s resilience against system reboots and potential remediation efforts.
Expanded Toolset and Tactics
In addition to the enhanced SparrowDoor backdoor, FamousSparrow has incorporated other sophisticated tools into their arsenal. Notably, the group has been observed utilizing ShadowPad, a privately sold backdoor known to be supplied exclusively to China-aligned threat actors. This marks the first recorded instance of FamousSparrow deploying ShadowPad, indicating a strategic expansion of their toolset.
The group’s attack methodology typically commences with the deployment of web shells on outdated Internet Information Services (IIS) or Microsoft Exchange servers. This initial compromise facilitates lateral movement within the target network, culminating in the installation of the advanced SparrowDoor variants.
Potential Overlaps with Other APT Groups
Intriguingly, one of the new SparrowDoor versions bears similarities to a backdoor referred to as CrowDoor by other security firms, which has been attributed to the Earth Estries APT group. This resemblance suggests potential overlaps or shared resources between these threat actors, highlighting the complex and interconnected nature of the cyber-espionage ecosystem.
Global Targeting and Implications
FamousSparrow’s recent activities have predominantly targeted organizations within the financial sector and research institutions, reflecting a strategic focus on entities that hold valuable and sensitive information. The geographical distribution of these attacks spans multiple countries, underscoring the group’s global reach and the transnational nature of cyber threats.
The re-emergence of FamousSparrow with enhanced capabilities serves as a stark reminder of the persistent and evolving threats posed by APT groups. Organizations are urged to adopt comprehensive cybersecurity measures, including regular patching of internet-facing applications, continuous monitoring for anomalous activities, and the implementation of robust incident response protocols.
In conclusion, the resurgence of FamousSparrow and the deployment of advanced versions of SparrowDoor highlight the dynamic and adaptive strategies employed by cyber-espionage groups. This development emphasizes the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts to safeguard against sophisticated and persistent threats.
