ESET recently published this report that discloses ongoing activity deploying new variants of the SparrowDoor backdoor. FamousSparrow exploitation links These variants are attributed to the Chinese threat actor FamousSparrow. Since its discovery in September of 2021, FamousSparrow has quickly developed into a widespread and prominent cyber threat. It explicitly envisions partnerships between U.S. and Mexican organizations.
FamousSparrow mostly uses SparrowDoor, an implant only used in the course of its operations. In the most recent attacks, they exploited SparrowDoor and a malware known as ShadowPad. These threats were directed at a major trade association in the United States and at a technology industry research institute in Mexico. This represents a more concerning trend as it shows the group’s continued nefarious efforts and creation of advanced tools.
Overview of FamousSparrow and SparrowDoor
FamousSparrow first gained notoriety following ESET’s original documentation in late 2021. Since then, the group has taken part in multiple cyber espionage operations, using SparrowDoor as its main instrument for intrusions. Most impressively, due to SparrowDoor’s modular architecture, the tool can be expanded to perform various functions.
Rather than a single, monolithic backdoor, the operation supports nine different modules, each designed to carry out a specific task. These include:
- Cmd: Executes a single command.
- CFile: Conducts file system operations.
- CKeylogPlug: Logs keystrokes.
- CSocket: Manages socket connections.
- CShell: Facilitates interactive shell sessions.
- CTransf: Handles file transfers.
- CRdp: Supports remote desktop protocol functionalities.
- CPro: Implements additional proprietary functions.
- CFileMoniter: Monitors file activities.
SparrowDoor supports the ability to start proxies and open interactive shell sessions. Its ability to conduct file operations and pull host information massively increases its utility in cyber operations.
Recent Attacks and Use of ShadowPad
These attacks attributed to FamousSparrow have made headlines not just for who they’ve targeted, but how advanced they are. In July 2024, this group deployed ShadowPad for the first time, a backdoor that has become infamous among Chinese state-sponsored actors. ShadowPad’s inclusion signifies an escalation in FamousSparrow’s tactics, employing advanced malware to achieve its objectives.
ESET noted that “FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular.” This is a strong indicator that the cohort is still hard at work implementing their plans. They continue to make new iterations of SparrowDoor that expand what it can do.
Alexandre Côté Cyr underscored the competitive edge that these innovations provide FamousSparrow. He described how this functionality allows the C&C server to track all paths associated with the same victim. It helps to know the purposes of those connections. Each of these threads can then take care of a particular category of sub-command. This degree of preparation within their terrible agenda highlights how dangerous FamousSparrow is.
Implications and Ongoing Threat
These new findings on FamousSparrow and its new variants show that the threat landscape is ever-evolving. Cybersecurity professionals continue to emphasize the need for caution as these attackers constantly adapt their tools and techniques. As the group moves from strength to strength, organizations need to be aware of both these threats and improve their defenses in parallel with their capabilities.
Most recently, ESET was able to identify additional activity by which it became apparent that FamousSparrow remains active. They have a passion for building new iterations of SparrowDoor. Given that cyber threats are constantly changing, organizations around the world need to be more aware than ever.
