ESET researchers have identified a new cyberespionage group that is targeting hotels, governments, and private organizations around the globe. Dubbed FamousSparrow, this group is believed to be active since 2019. It is one of the earliest attackers leveraging Microsoft Exchange ProxyLogon vulnerabilities for its attacks.

What has been discovered

Experts surmise that the FamousSparrow APT group is independent of all other active APT groups. The victims targeted by the group suggest that the main intention of this group is espionage.
  • The report suggests that this group leverages vulnerabilities in Microsoft Exchange (including ProxyLogon), Microsoft SharePoint, and Oracle Opera.
  • The group mainly targets hotels but has also been observed targeting government organizations, engineering companies, and legal firms. 
  • Its victims are located across several countries, including Saudi Arabia, the U.K, Canada, Brazil, France, Taiwan, and Thailand, among others.

Backdoor’s tools and tactics

The backdoor’s ability includes creating directories, read and write files, and exfiltrate data. It is also facilitated with a kill switch, allowing hackers to uninstall or restart SparrowDoor. 
  • The ESET report reveals that the SparrowDoor backdoor is loaded on compromised servers initially via the DLL search order hijacking technique.
  • It then establishes a connection to the hackers’ C&C server for data exfiltration.
  • In addition, FamousSparrow uses several tools to target its victims, including two custom versions of Mimikatz, ProcDump, Nbtscan (a NetBIOS scanner), and a custom backdoor named SparrowDoor.

Ending notes

FamousSparrow is yet another APT group indulged in espionage activities. This highlights the rapid evolution of the cyberespionage landscape at the international level. Moreover, targeting vulnerabilities in commonly used enterprise products further highlights the need for a robust patching mechanism for all internet-facing applications.

Cyware Publisher