- ESET discovers multiple new variants of Sparrowdoor, a piece of malware used by Famousesparrow
- The research discovered the activity of the group between 2022-2024
- It was aimed at government agencies, researchers and financial institutions.
FamousSparrow, a threat actor sponsored by the Chinese state that is believed to be retired, is not only active, but has been pointing to the government, financial organizations and research institutes, for years, experts have revealed.
The ESET cybersecurity researchers recently ran into a new variant of Famousesparrow malware, which led them to a rabbit burrow that exposes the group’s activities worldwide.
ESET said it was brought by an unidentified commercial group in the United States, which operates in the financial sector, to help with a malware infection. The researchers found two previously undocumented versions of Sparrowdoor, the FamousSparrow flashing back door.
Splatter
ESET said the group has not been heard since 2022, which made the cyber security community think it was inactive.
However, during that period, FamousSparrow pointed to a government institution in Honduras and a research institute in Mexico.
In fact, the latter was violated “only a couple of days before commitment in the United States” (both had happened in July 2024).
“Both versions of Sparrowdoor constitute marked progress on previous iterations, especially in terms of quality and architecture of the code, and one implements the parallel of the commands,” said ESET.
“While these new versions exhibit significant updates, they can still be traced directly to publicly previous documented versions. The chargers used in these attacks also have substantial code overlays with samples previously attributed to Famousesparrow,” says ESET researcher Alexandre Côté Cyr, who made the discovery.
The researchers said they could not determine the initial infection vector, but added that the company used obsolete versions of Windows Server and Microsoft Exchange, which have multiple exploits publicly available.
Whatever the vulnerability they will use, FamousSparrow implemented a web network on an IIS server, obtaining access and the ability to implement additional useful loads.
In addition to Sparrowdoor, the group used Shadowpad and other tools capable of running commands, Keylogging, exfiltrating files, taking screenshots and more.
