- ESET detects several new variants of sparrowdoor, a piece of malware used by FamousSparrow
- The study revealed the group’s activity between 2022-2024
- It was targeted at public agencies, researchers and financial institutions
Famoussparrow, a Chinese state -sponsored threat actor who believed to be retired, is not only active, but has targeted governments, financial organizations and research institutes for years now, experts have revealed.
CyberSecurity scientists at ESET recently stumbled over a new variant of FamousSparrow’s malware, which led them down a rabbit hole that exposed the group’s activities across the globe.
Eset said it was brought in by a named trading group in the United States operating in the financial sector to help with a malware infection. Investigators found two previously undocumented versions of Sparrowdoor, FamousSparrow’s flagship back door.
Sparrowdoor
Eset said the group has not been heard of since 2022, causing the cybersecurity community to think it was inactive.
During this period, however, FamousSparrow targeted a government institution in Honduras and a research institute in Mexico.
In fact, the latter was broken “just a few days before the US compromise” (both had happened in July 2024).
“Both of these versions of sparrowdoor are prominent progress on previous iterations, especially in terms of cod quality and architecture, and commands are implemented,” Eset said.
“While these new versions are exhibiting significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present significant code overlaps with samples previously attributed to famous parrow,” said ESET researcher Alexandre Côté Cyr, who made the discovery.
Investigators said they couldn’t determine the initial infection vector, but added that the company used outdated versions of Windows Server and Microsoft Exchange, both of which have multiple, publicly available utilization.
No matter what vulnerability they used, FamousSparrow inserted a webshell on an IIS server, was given access and the opportunity to implement further payload.
In addition to Sparrowdoor, the Shadowpad group and other tools that were able to run commands, keylogging, exfiltrating files used, take screens and more.
