FamousSparrow APT Wings in to Spy on Hotels, Governments

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
A cyberespionage group dubbed “FamousSparrow” by researchers has taken flight, targeting hotels, governments and private organizations around the world with a custom backdoor called, appropriately, “SparrowDoor.” It’s one of the advanced persistent threats (APTs) that targeted the ProxyLogon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light.

According to the firm, the backdoor’s malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. There’s also a kill switch to remove persistence settings and all SparrowDoor files from the victim machines.
“We believe FamousSparrow exploited known remote code-execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” according to ESET researchers. They added, “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

Once a target is compromised, FamousSparrow infects the victim with a range of custom tools, according to ESET’s analysis, released on Thursday. These include:
  • A Mimikatz variant for lateral movement
  • A small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials
  • Nbtscan, a NetBIOS scanner for identifying files and printers across a LAN
  • A loader for the SparrowDoor backdoor
The loader installs SparrowDoor via DLL search order hijacking, researchers noted. “The legitimate executable, Indexer.exe, requires the library K7UI.dll to operate,” they explained. “Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded.” Persistence is set through the registry Run key and a service that’s created and started using XOR-encrypted configuration data hardcoded in the binary, according to the writeup. Then, the malware establishes encrypted TLS connections to a command-and-control (C2) server on port 433, which can be proxied or not.
 

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
So this exploited known, unpatched vulnerabilities or unknown vulnerabilities not yet patched?
Proxylogon specific :
this remote code execution vulnerability was used by more than 10 APT groups to take over Exchange mail servers worldwide. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3rd, 2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon remote code execution vulnerability in March 2021.
For example with the vulnerability in Oracle Opera, I can't say as I haven't checked deep enough.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top