- Jul 27, 2015
A cyberespionage group dubbed “FamousSparrow” by researchers has taken flight, targeting hotels, governments and private organizations around the world with a custom backdoor called, appropriately, “SparrowDoor.” It’s one of the advanced persistent threats (APTs) that targeted the ProxyLogon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light.
According to the firm, the backdoor’s malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. There’s also a kill switch to remove persistence settings and all SparrowDoor files from the victim machines.
“We believe FamousSparrow exploited known remote code-execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” according to ESET researchers. They added, “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”
Once a target is compromised, FamousSparrow infects the victim with a range of custom tools, according to ESET’s analysis, released on Thursday. These include:
The loader installs SparrowDoor via DLL search order hijacking, researchers noted. “The legitimate executable, Indexer.exe, requires the library K7UI.dll to operate,” they explained. “Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded.” Persistence is set through the registry Run key and a service that’s created and started using XOR-encrypted configuration data hardcoded in the binary, according to the writeup. Then, the malware establishes encrypted TLS connections to a command-and-control (C2) server on port 433, which can be proxied or not.
- A Mimikatz variant for lateral movement
- A small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials
- Nbtscan, a NetBIOS scanner for identifying files and printers across a LAN
- A loader for the SparrowDoor backdoor