A recent Consumer Reports investigation revealed a far more insidious threat. The Chinese hacker group FamousSparrow has developed and published new variants of its highly specialized backdoor, SparrowDoor. That coalition is continuing, and their current targets are US and Mexican organizations. They are using the most sophisticated cyber techniques to exploit the vulnerabilities in the most effective way. As the global leader in real-time machine learning cybersecurity, ESET originally discovered FamousSparrow in September 2021. Since then, its actions have raised impossible cybersecurity experts’ hackles further.
The most recent attacks featured the use of SparrowDoor in conjunction with another piece of malware known as ShadowPad. Most significantly, this represents the first use of ShadowPad by FamousSparrow—signaling an evolution in their tactics. The activists have largely focused their sights on one U.S. trade group and one Mexican research institute. This is an obvious testament to their skills to project attacks across borders.
Details of the SparrowDoor Backdoor
SparrowDoor acts an implant only used by FamousSparrow and powers up to nine various operational modules. Each module complements different tasks, adding more versatility to the backdoor. These modules include:
- Cmd: Executes a single command.
- CFile: Performs various file system operations.
- CKeylogPlug: Logs keystrokes to capture sensitive information.
- CSocket: Launches a TCP proxy for network manipulation.
- CShell: Initiates an interactive shell session for remote control.
- CTransf: Manages file transfers.
- CRdp: Supports remote desktop protocol connections.
- CPro: Facilitates additional processing capabilities.
- CFileMoniter: Monitors file changes.
ESET reports that one of the newly discovered SparrowDoor variants resembles another backdoor known as Crowdoor, further complicating the threat landscape.
“FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular,” – ESET
Each of these modules contributes to increasing the backdoor’s flexibility. They allow it to run various commands adapted to the criminals’ unique requirements.
Implications of Recent Activities
With the introduction of these new variants, it is clear that FamousSparrow is still hard at work. It underscores the company’s commitment to further developing and improving the technology. Here’s why cybersecurity experts are so concerned—mainly because of the group’s proven ability to innovate and refine its tools.
“This newly found activity indicates that not only is the group still operating, but it was also actively developing new versions of SparrowDoor during this time,” – ESET
People have noticed that each command you send to SparrowDoor causes a thread per command. This process opens a thread to the command and control (C&C) server. This technique enables malicious actors to sniff and control more than one victim connection at a time.
“When the backdoor receives one of these commands, it creates a thread that initiates a new connection to the C&C server,” – Alexandre Côté Cyr
The Growing Threat Landscape
With the thorough evolution of today’s cyber threats, organizations of all sizes need to constantly prioritize their cybersecurity posture. FamousSparrow’s operations not only serve as a reminder to be vigilant against new and evolving threats but to have strong, multi-layered security practices. Written by Essential for organizations to spot advanced threats using cutting-edge detection technology, organizations should continue to be on guard against possibly destructive breaches.
The deployment of ShadowPad with SparrowDoor is an indication that FamousSparrow’s operations are entering a much more dangerous phase. As threat actors refine their strategies, understanding their methods becomes crucial for defense.