- Eset discovers several new variants of Sparrowdoor, part of malicious software used by Famoussparrow
- The survey discovered the group’s activity between 2022-2024
- He aimed at government agencies, researchers and financial institutions
Famoussparrow, an actor of threat sponsored by the Chinese state, considered to be retired, is not only active, but aims for the government, financial organizations and research institutes, for years, experts have revealed.
Cybersecurity researchers from ESET recently tripped on a new variant of malware from Famamsparrow, leading them to a rabbit hole exhibiting group activities around the world.
ESET said that it had been brought by an unnamed sales group in the United States, operating in the financial sector, to help infection of malicious software. The investigators found two previously undocumented versions of Sparrowdoor, the flagship door of Famoussarrow.
Sparrowo
Eset said that the group has not been heard since 2022, which made the cybersecurity community believe that it was inactive.
However, during this period, Famousparrow targeted a government institution in Honduras and a research institute in Mexico.
In fact, the latter was violated “only a few days before compromise in the United States” (the two occurred in July 2024).
“These two versions of Sparrowdoor constitute marked progress compared to previous iterations, in particular in terms of quality and code architecture, and the parallelization of orders is implemented,” said Eset.
“Although these new versions have important upgrades, they can still be traced directly from previous and publicly documented versions. The chargers used in these attacks also have a substantial code on samples previously attributed to Famoussparrow, “explains ESET Alexandre researcher Côté Cyr, who discovered.
Investigators said that they could not determine the initial infection vector, but added that the company used obsolete versions of Windows Server and Microsoft Exchange, which both have several exploits accessible to the public.
Whatever the vulnerability they have used, Famoussparrow has deployed a washael on an IIS server, having access and the possibility of deploying additional useful loads.
In addition to Sparrowdoor, the group used Shadowpad and other tools capable of executing commands, keylogging, file exfiltration, screenshot, etc.
