New FamousSparrow Malware Targets Hotels and Engineering Firms with Custom Backdoor

ESET researchers have uncovered new activity from the China-aligned APT group FamousSparrow, revealing two previously undocumented versions of their custom SparrowDoor backdoor.

The group, thought to be inactive since 2022, compromised a US-based trade organization in the financial sector and a Mexican research institute in July 2024.

The first variant closely resembles the CrowDoor malware attributed to Earth Estries, while the second introduces a modular architecture.

Both versions demonstrate significant advancements in code quality and implement command parallelization, allowing for simultaneous execution of time-consuming operations.

Expanded Toolkit and Infrastructure

FamousSparrow’s arsenal now includes ShadowPad, a privately sold backdoor typically associated with China-aligned threat actors.

The group utilized a mix of custom and publicly available tools, including PowerHub for post-exploitation and BadPotato for privilege escalation.

The attackers initially deployed an ASHX webshell on compromised IIS servers, likely exploiting vulnerabilities in outdated Windows Server and Microsoft Exchange installations.

They then established interactive PowerShell sessions for reconnaissance and further payload deployment.

SparrowDoor’s evolution includes enhanced persistence mechanisms, utilizing both registry Run keys and Windows services.

The backdoor implements sophisticated network communication, using custom socket classes and RC4 encryption for data transmission.

This campaign marks the first observed use of ShadowPad by FamousSparrow, potentially indicating an expansion of their capabilities.

The group’s targets have diversified beyond the hospitality sector to include governments, international organizations, and engineering firms.

ESET researchers note potential overlaps between FamousSparrow and other threat actors like Earth Estries and GhostEmperor.

However, they maintain that FamousSparrow represents a distinct cluster with loose connections to these groups.

The discovery of this recent activity suggests that FamousSparrow has been continuously active and developing its toolset since 2022.

As the threat landscape evolves, organizations in targeted sectors should remain vigilant and implement robust security measures to defend against these sophisticated attacks.

Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.