A subsequent surge of cyber attacks recently appeared to be coordinated by the Chinese advanced persistent threat FamousSparrow. These attacks are directed at an independent trade group in the United States and an independent, nonprofit research institute in Mexico. ESET originally reported on the FamousSparrow threat in September 2021. Since then, it has become infamous for its cutting-edge cyber capabilities, most notably by deploying a backdoor known as SparrowDoor. The implant is in fact only connected to the group. Recently, they’ve extended their operations to deploying malware of their own, such as ShadowPad.
FamousSparrow’s operations highlight an ongoing trend in cyber espionage, with the group leveraging advanced tools to infiltrate organizations across North America. SparrowDoor and ShadowPad have taken IT coercion to a much higher level. This disturbing trend has left many cybersecurity professionals fearing for the safety of sensitive data and research.
Overview of SparrowDoor
SparrowDoor is an extremely flexible backdoor. It features an impressive and game-changing nine supported modules, which extend its functionality and effectiveness in suppressing an attacking onslaught substantially. Each module focuses on one goal, which makes it an even more powerful tool in FamousSparrow’s toolbox. The Cmd module allows execution of interactive single commands and the CFile module handles a lot of core file system operations.
Further, the CKeylogPlug module facilitates keystroke logging, which can be used to discern user activity and behavior. Other modules like CSocket and CShell support for socket communication and remote control. The CTransf module allows files to be transferred, and CRdp adds remote desktop protocol support. Additionally, CPro and CFileMonitor help with process management and file monitoring, respectively.
FamousSparrow is capable of advanced operations across environments even on targeted systems. This greatly enhances its overall intelligence-gathering capabilities and helps it stay one step ahead of targeted networks.
Deployment of ShadowPad
By late July 2024 FamousSparrow should’ve reached an impressive milestone, with the first successful deployment of ShadowPad in a cyber enabled attack. ShadowPad is a polymorphic remote access trojan (RAT) usually associated with Chinese state-sponsored actors. It has become the tool of choice for almost every threat actor. FamousSparrow has moved smartly, burrowing this malware deep into their malicious toolkit. This action allows them to expand upon that work and diversify their ways of doing business even more.
The deployment of ShadowPad in addition to SparrowDoor against the group’s continuing focus on harming critical infrastructure further highlights the group’s intentions. Cybersecurity novices and veterans alike need to remain on high alert against attacks. As these specialists get better at their methods and equipment, the need for vigilance only increases.
Comparisons and Improvements
One iteration of SparrowDoor nearly matches Crowdoor, a backdoor used by cyber actors. SparrowDoor has some serious improvements. Just as easily, you can now launch a proxy server. Beyond that, you can start live interactive shell sessions, execute detailed file operation 9, and enumerate file systems. These capabilities allow FamousSparrow to collect detailed host information and remain under the radar for all phases of its operations.
The self-uninstalling capability of SparrowDoor adds one more layer to detection efforts described above. Once the attack objectives are met, the malware quickly wipes itself clean from infected machines. It otherwise poses little evidence to impede forensic investigation.