Cybersecurity researchers have recently discovered new variants of the SparrowDoor backdoor. FamousSparrow, a Chinese cybercriminal actor, is currently using these variants in deployment. A Slovak cybersecurity company originally detected this group back in September 2021. Since then, it has adapted its tactics and deliberately targeted US and Mexican civil society. The newest discovery shows that FamousSparrow is in the habit of continually developing and using more sophisticated versions of its malware.
FamousSparrow uses SparrowDoor as its key implant, which is only tied to their cyber ops. The backdoor is highly configurable, featuring up to nine different modules optimized to perform different nefarious activities. Each of these modules significantly increases our operational capacity. They range from Cmd to execute commands, CFile for file system operations, and CKeylogPlug for keystroke logging, to name just a few.
ESET, a cybersecurity firm that has been tracking these developments, noted that “FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular.” This modularity makes it easy for the C&C server to track connections from individual victims and oversee multiple sub-commands at once, effectively juggling them all.
- Cmd: Executes a single command.
- CFile: Handles file system operations.
- CKeylogPlug: Logs keystrokes entered on the compromised system.
- CSocket: Initiates a TCP proxy for communication.
- CShell: Starts an interactive shell session.
- CTransf: Manages file transfers between the infected host and the command and control (C&C) server.
- CRdp: Captures screenshots from the compromised device.
- CPro: Lists running processes and can terminate specified ones.
- CFileMoniter: Monitors file system changes in designated directories.
Alexandre Côté Cyr, a cybersecurity analyst, elaborated on the operational mechanism of SparrowDoor, stating, “When the backdoor receives one of these commands, it creates a thread that initiates a new connection to the C&C server.” This architecture exacerbates the malware’s means to persistently control over infected systems.
This recent activity indicates that FamousSparrow is still active and is actively improving their malware toolkit. ESET further emphasized that “this newly found activity indicates that not only is the group still operating, but it was also actively developing new versions of SparrowDoor during this time.”
Besides SparrowDoor, FamousSparrow has used ShadowPad, another malware often seen in Chinese state-sponsored cyber operations. This trend is indicative of the continued threat posed by the terrorist group. It underscores the importance of robust cybersecurity practices for organizations based in or near impacted areas.
In addition to SparrowDoor, FamousSparrow has utilized ShadowPad, another malware commonly associated with Chinese state-sponsored cyber operations. This trend underscores the ongoing threat posed by the group and highlights the importance of robust cybersecurity measures for organizations in impacted regions.
