You Will Always Remember This As The Day You Finally Caught Famoussparrow

In July 2024, ESET Research noticed suspicious activity connected nan strategy of a waste and acquisition group successful nan United States that operates successful nan financial sector. While helping nan affected entity remediate nan compromise, we made an unexpected find successful nan victim’s network: malicious devices belonging to FamousSparrow, a China-aligned APT group. There had been nary publically documented FamousSparrow activity since 2022, truthful nan group was thought to beryllium inactive. Not only was FamousSparrow still progressive during this period, it must person besides been difficult astatine activity processing its toolset, since nan compromised web revealed not one, but 2 antecedently undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor.

Both of these versions of SparrowDoor represent marked advancement complete earlier ones, particularly successful position of codification value and architecture. One of them resembles nan backdoor that researchers astatine Trend Micro called CrowDoor and attributed to nan Earth Estries APT group successful November 2024. The different is modular and importantly different from each erstwhile versions. This run is besides nan first documented clip FamousSparrow utilized ShadowPad, a privately sold backdoor, known to only beryllium supplied to China-aligned threat actors.

We further discovered that, arsenic portion of this campaign, nan threat character managed to breach a investigation institute successful Mexico conscionable a mates of days anterior to nan discuss successful nan US.

While mounting up search based connected what we discovered successful these attacks, we uncovered further activity by nan group betwixt 2022 and 2024, which we’re still investigating. Among others, it targeted a governmental institution successful Honduras.

This blogpost provides an overview of nan toolset utilized successful nan July 2024 campaign, focusing connected nan undocumented versions of nan SparrowDoor backdoor that we discovered astatine nan US victim.

Key points of this blogpost:

• ESET researchers discovered that FamousSparrow compromised a waste and acquisition group for nan financial assemblage successful nan United States and a investigation institute successful Mexico.
• FamousSparrow deployed 2 antecedently undocumented versions of nan SparrowDoor backdoor, 1 of them modular.
• Both versions represent sizeable advancement complete erstwhile ones and instrumentality parallelization of commands.
• The APT group was besides observed utilizing nan ShadowPad backdoor for nan first time.
• We talk Microsoft Threat Intelligence’s attribution claims linking FamousSparrow to Salt Typhoon.

FamousSparrow is simply a cyberespionage group pinch ties to China, progressive since astatine slightest 2019. We first publically documented nan group successful a 2021 blogpost erstwhile we observed it exploiting nan ProxyLogon vulnerability. The group was initially known for targeting hotels astir nan world, but has besides targeted governments, world organizations, engineering companies, and rule firms. FamousSparrow is nan only known personification of nan SparrowDoor backdoor.

Even though FamousSparrow seemed inactive astatine nan clip of our discovery, we property this activity to nan group pinch precocious confidence. The deployed payloads are caller versions of SparrowDoor, a backdoor that appears to beryllium exclusive to this group. While these caller versions grounds important upgrades successful codification value and architecture, they tin still beryllium traced backmost straight to earlier, publically documented versions. The loaders utilized successful these attacks besides coming important codification overlaps pinch samples antecedently attributed to FamousSparrow. Notably, they usage nan aforesaid reflective loader shellcode arsenic nan libhost.dll loader sample described successful a report from February 2022 published by nan UK National Cyber Security Centre (NCSC). Its configuration besides shares nan aforesaid circumstantial format, isolated from for nan encryption cardinal which is alternatively hardcoded successful nan loader and backdoor. XOR encryption has besides been replaced pinch RC4.

Additionally, C&C server communications usage a format very akin to that utilized successful erstwhile SparrowDoor versions.

In 2021, Kaspersky researchers wrote astir a threat character they way arsenic GhostEmperor. Despite immoderate infrastructure overlap pinch FamousSparrow, we way them arsenic abstracted groups. In August 2023, Trend Micro noted that immoderate FamousSparrow TTPs overlap pinch those of Earth Estries. We person besides observed codification overlaps betwixt SparrowDoor and that group’s HemiGate. These are discussed successful much item successful nan Plugins section. We judge that nan 2 groups overlap astatine slightest partially, but we do not person capable information to afloat measure nan quality and grade of nan nexus betwixt nan 2 groups.

FamousSparrow and Salt Typhoon

Before we dive into nan study of FamousSparrow’s toolset, we want to talk our position connected nan links betwixt FamousSparrow and Salt Typhoon made by Microsoft Threat Intelligence.

In September 2024, nan Wall Street Journal published an article (the article is down a paywall) reporting that net work providers successful nan United States had been compromised by a threat character named Salt Typhoon. The article relays claims by Microsoft that this threat character is nan aforesaid arsenic FamousSparrow and GhostEmperor. It is nan first nationalist study that conflates nan second 2 groups. However, arsenic we already stated, we spot GhostEmperor and FamousSparrow arsenic 2 chopped groups. There are fewer overlaps betwixt nan 2 but galore discrepancies. Both utilized 27.102.113[.]240 arsenic a download server successful 2021. Both groups were besides early exploiters of nan ProxyLogon vulnerability (CVE-2021-26855) and person utilized immoderate of nan aforesaid publically disposable tools. However, too these publically disposable tools, each threat character has its ain civilization toolset.

Since that first publication, researchers astatine Trend Micro person added Earth Estries to nan database of groups that are linked to Salt Typhoon. As of this writing, Microsoft, who created nan Salt Typhoon cluster, has not published immoderate method indicators aliases specifications astir TTPs utilized by nan threat actor, nor provided an mentation for this attribution. To debar further muddying nan waters, we will support search nan cluster of activity we spot arsenic straight linked to SparrowDoor arsenic FamousSparrow until we person accusation basal to reliably measure these attribution claims.

Based connected our information and study of nan publically disposable reports, FamousSparrow appears to beryllium its ain chopped cluster pinch loose links to nan others mentioned successful this section. We judge those links are amended explained by positing nan beingness of a shared 3rd party, specified arsenic a integer quartermaster, than by conflating each of these disparate clusters of activity into one.

Technical Analysis

In bid to summation first entree to nan affected network, FamousSparrow deployed a webshell connected an IIS server. While we were incapable to find nan nonstop utilization utilized to deploy nan webshells, some victims were moving outdated versions of Windows Server and Microsoft Exchange, for which location are respective publically disposable exploits.

As for nan toolset utilized successful nan campaign, nan threat character employed a operation of civilization devices and malware on pinch those shared by China-aligned APT groups, arsenic good arsenic from publically disposable sources. The last payloads were SparrowDoor and ShadowPad. Figure 1 provides an overview of nan discuss concatenation deployed successful nan attacks.

The threat character initially downloaded a batch book complete HTTP from a download server, 43.254.216[.]195. This book contains a base64-encoded .NET webshell that it writes to C:\users\public\s.txt. It past decodes it utilizing certutil.exe and saves nan decoded output to C:\users\public\s.ashx. An ASHX module is simply a type of HTTP handler for ASP.NET. Although akin to ASPX modules, ASHX modules do not see immoderate personification interface components. The book past walks done drives C: to I:, and P:, to find nan installation directory of DotNetNuke; it past copies nan ASHX webshell to <DotNetNuke_directory>\DesktopModules\DotNetNuke.ashx.

The webshell itself is reasonably generic and doesn’t usage thing circumstantial to DotNetNuke. All nan information it receives, and returns, is AES encrypted pinch nan hardcoded cardinal e2c99096bcecd1b5. On first request, it expects a .NET PE file. This executable record is loaded into representation and saved successful a convention variable. On consequent requests, an lawsuit of nan LY people contained wrong that .NET assembly is created and nan information received is passed to its Equals method. We did not cod immoderate payload sent to this webshell, but it’s evident that nan Equals method does not travel nan emblematic contract.

In nan cases we observed, this was utilized to spawn an interactive distant PowerShell session. Once this convention was established, attackers utilized morganatic Windows devices to get accusation astir nan big and nan Active Directory domains to which it was joined. They past downloaded PowerHub, an open-source post-exploitation framework, from an attacker-controlled server and utilized the BadPotato privilege-escalation method to summation SYSTEM privileges. This utilization is not coming successful nan framework, but it appears that nan group added nan open-source Invoke-BadPotato module to its deployment of PowerHub. Finally, nan attacker utilized PowerShell’s built-in Invoke-WebRequest to download 3 files from nan aforesaid server that comprise SparrowDoor’s trident loader.

In a process very akin to nan 1 described successful 2022 by nan UK NCSC, nan aforementioned files usage a trident loading strategy to execute SparrowDoor. In this instance, nan executable utilized for DLL side-loading is simply a morganatic type of K7AntiVirus Messenger Scanner named K7AVMScn.exe, while nan malicious DLL and encrypted payload files are named K7AVWScn.dll and K7AVWScn.doc, respectively. The payload record is encrypted utilizing an RC4 cardinal that is hardcoded successful some nan loader and nan resulting decrypted payload, but which varies crossed samples.

The decrypted payload consists of a civilization configuration and reflective loader shellcode almost identical to that described by nan UK NCSC, pinch nan only quality being that nan first field, which contained nan four-byte XOR key, has been removed. The past 202 bytes of nan record are encrypted separately, but utilizing nan aforesaid RC4 key, and incorporate nan C&C server configuration.

SparrowDoor

As stated, we observed 2 caller versions of SparrowDoor utilized successful these attacks. The first 1 is very akin to what was called CrowDoor by researchers astatine Trend Micro, successful an article published successful November 2024 about Earth Estries. This malware was first documented by researchers astatine ITOCHU and Macnica successful a position astatine VirusBulletin successful 2023. From our perspective, these are portion of nan continued improvement effort connected SparrowDoor alternatively than a different family. We tin travel nan improvement from nan first type we described successful 2021, done nan ones referred to arsenic CrowDoor, to nan modular type we analyse successful nan later portion of this blogpost.

Both versions of SparrowDoor utilized successful this run represent onsiderable advances successful codification value and architecture compared to older ones. The astir important alteration is nan parallelization of time-consuming commands, specified arsenic record I/O and nan interactive shell. This allows nan backdoor to proceed handling caller commands while those tasks are performed. We will explicate nan process later successful nan blogpost erstwhile we talk nan commands successful detail.

Just for illustration successful erstwhile versions, nan behaviour of nan backdoor varies depending connected nan bid statement statement passed to it. These are listed successful Table 1.

Table 1. Command statement arguments for SparrowDoor

When executed without immoderate arguments, nan malware establishes persistence. It first tries to do truthful by creating a work named K7Soft that is group to tally automatically connected startup. If this fails, a registry Run cardinal pinch nan aforesaid sanction is utilized instead. In some cases, nan persistence system is group to execute nan backdoor pinch a bid statement statement of 11. It is besides launched instantly pinch that aforesaid statement utilizing nan StartServiceA aliases ShellExecuteA API.

When executed pinch nan statement 11, nan backdoor launches nan Windows colour guidance instrumentality (colorcpl.exe) pinch a bid statement statement of 22 and injects its loader into nan recently created process.

It is only erstwhile nan bid statement statement is group to 22 that nan backdoor really executes its main payload.

After SparrowDoor is executed successful this backdoor mode, it terminates, successful a roundabout way, immoderate different already moving instances. The backdoor uses nan K32EnumProcesses API to iterate done nan process IDs (PIDs) of each moving processes and tries to create a mutex named Global\ID(<PID>). PIDs of 15 aliases little are skipped, apt arsenic a measurement to exclude sidesplitting immoderate basal strategy processes. If nan mutex already exists, nan process is terminated. Otherwise, nan mutex is closed immediately. When SparrowDoor is done iterating done nan PIDs, it creates a caller mutex utilizing nan aforesaid sanction format and its ain PID.

The backdoor past sounds nan past 202 bytes from nan encrypted payload record and decrypts them utilizing nan aforesaid RC4 cardinal utilized by nan loader. The resulting plaintext is nan C&C server configuration, which consists of 3 pairs of addresses and ports, followed by 4 numeric values that, respectively, correspond nan number of days, hours, minutes, and seconds nan backdoor should hold aft each configured C&C servers person been tried. This is related to nan functionality we picture later while talking astir nan bid nan backdoor uses for changing nan C&C configuration.

After loading this configuration, nan backdoor will effort to link to nan first server. If it is incapable to link aliases if nan C&C server issues a bid that causes execution to exit nan main bid loop, SparrowDoor will effort to link to nan adjacent server, and truthful on. Once nan past server successful nan configuration has been tried, nan backdoor will slumber for nan defined clip (six minutes successful nan sample we analyzed), reload nan configuration, and past repetition nan process. Note that, during this time, SparrowDoor does not respond to commands. However, nan parallelized commands that were already moving will support doing truthful until they complete, brushwood an error, aliases are terminated by nan server.

The backdoor uses 2 classes to negociate its connections: nan absurd CBaseSocket and its kid people CTcpSocket. These are fundamentally wrappers astir Winsock TCP sockets. While nan people names are generic and travel nan aforesaid naming normal utilized successful nan Microsoft Foundation Class Library (MFC), nan codification they incorporate appears to beryllium custom.

SparrowDoor uses an integer worth arsenic a unfortunate aliases convention identifier. This is sent to nan C&C server erstwhile it requests accusation astir nan big and whenever a caller socket is created. The worth is publication from nan HKLM\Software\CLASSES\CLSID\ID registry key, falling backmost to nan aforesaid way successful nan HKCU hive if there’s an issue. If it is not present, nan identifier is derived from nan machine’s capacity antagonistic and written to nan aforementioned registry key. Although nan worth itself is benign, nan usage of this nonstandard registry cardinal presents a discovery opportunity. Indeed, nan sanction of immoderate registry cardinal nether Software\Classes\CLSID\ should beryllium a valid CLSID, which are represented arsenic a GUID surrounded by curly brackets. While it is not needfully an parameter of maliciousness, nan beingness of keys pinch nonstandard names nether CLSID is unusual.

Commands

The first type of SparrowDoor utilized successful this run supports much commands, described successful Table 2, than antecedently documented versions. While nan bid IDs are different from those utilized successful nan type analyzed by Trend Micro, nan bid and offset betwixt IDs are nan same. We person not had entree to that sample, truthful we cannot show whether nan further commands were absent aliases simply not publically documented by nan authors.

As antecedently mentioned, immoderate of nan commands person been parallelized. When nan backdoor receives 1 of these commands, it creates a thread that initiates a caller relationship to nan C&C server. The unsocial unfortunate ID is past sent complete nan caller relationship on pinch a bid ID indicating nan bid that led to this caller connection. This allows nan C&C server to support way of which connections are related to nan aforesaid unfortunate and what their purposes are. Each of these threads tin past grip a circumstantial group of subcommands. To limit its complexity, Table 2 does not see these subcommands; we will spell complete them separately.

Table 2. Main commands implemented by SparrowDoor

All connection betwixt nan malware and its C&C server uses nan aforesaid guidelines packet format, defined successful Figure 2. The format of nan information conception depends connected nan bid sent, and tin beryllium empty. In astir cases, responses usage nan ID of nan bid to which nan backdoor is responding. There are, however, immoderate exceptions; we will picture these erstwhile talking astir nan applicable commands successful detail.

Interactive shell

Upon receiving nan interactive ammunition command, SparrowDoor spawns a caller thread and socket arsenic antecedently described, and performs each nan pursuing actions wrong this thread utilizing nan caller socket. First, nan backdoor sends backmost an acknowledgment connection pinch bid ID 0x32341125 and nan unsocial unfortunate ID successful nan information field. It past spawns a cmd.exe process and uses a brace of threads and named pipes to relay commands and their output betwixt nan C&C server and nan shell. The named tube \\.\pipe\id2<address> is utilized to walk commands received from nan C&C server to nan ammunition and \\.\pipe\id1<address> is utilized for nan resulting output connected STDOUT and STDERR. In some instances, <address> is nan representation address, successful decimal form, of nan CTcpSocket instance. These commands usage nan ID 0x32341126 and nan information is, respectively, nan bid statement to beryllium executed and nan earthy output. If nan backdoor receives a connection pinch nan bid ID group to immoderate different value, nan interactive ammunition convention is terminated.

Changing nan C&C configuration

The C&C configuration is kept successful nan encrypted payload file. If nan backdoor receives nan bid to alteration this configuration (0x3234112A), nan received building is RC4 encrypted and past nan past 202 bytes of nan encrypted record are overwritten pinch nan result. Interestingly, nan configuration is not automatically reloaded. As we explained previously, nan configuration is only reloaded erstwhile each 3 configured servers person been tried. To forcibly reload nan configuration, nan server tin rumor nan 0x32341127 bid aliases an invalid command, some of which will origin SparrowDoor to exit nan bid loop and move to nan adjacent server. The configuration is besides reloaded if nan backdoor is relaunched, specified arsenic by utilizing nan 0x3234112B command.

File operations

As pinch different commands processed successful parallel, everything present is performed successful a caller thread utilizing a caller socket. SparrowDoor sends an acknowledgment connection pinch nan aforesaid ID arsenic nan original command. The assemblage of this connection contains nan unsocial ID of nan unfortunate and nan cognition ID sent by nan C&C server. This cognition ID does not look to person immoderate meaning, and is astir apt only utilized by nan server to nexus nan relationship to nan record cognition bid if aggregate specified commands are performed successful parallel. Command IDs 0x3234112E and 0x3234112F are used, respectively, for record sounds and writes.

For a record read, nan connection assemblage contains nan starting offset, nan size to beryllium read, and nan way to nan file. If nan requested publication goes past nan extremity of nan file, it causes an correction and nary consequence is sent. Otherwise, nan malware sounds nan record successful chunks of 4 kB, each of which is sent successful nan assemblage of a connection pinch nan bid ID 0x32341130.

The process is akin for a record write. The first connection from nan C&C contains nan full size of nan information to beryllium written followed by nan target record path. Interestingly, nan constitute is only performed if this size is greater than nan existent size of nan target file. The information is past sent by nan C&C server successful chunks of 4 kB, utilizing nan aforesaid bid ID of 0x32341130.

File listing

When nan record listing bid is received, nan backdoor first sends backmost an acknowledgment connection pinch nan bid ID 0x32341133. It past uses nan FindFirstFileW and FindNextFileW API functions to iterate, non-recursively, done files successful nan target directory. For each file, SparrowDoor sends 1 message, pinch nan aforesaid bid ID arsenic nan database record bid (0x32341132) and nan accusation described successful Figure 3. Note that, moreover though nan magnitude of nan filename isn’t specified directly, it tin beryllium obtained by subtracting nan size of nan remainder of nan fields (0x16) from nan data_length worth successful nan header.

Once nan loop is done, a connection pinch bid ID 0x32341134 and nary information is sent to bespeak that nan record listing cognition has completed successfully.

Proxy

This functionality allows nan backdoor to enactment arsenic a TCP proxy betwixt nan C&C server and an arbitrary machine. As pinch different commands processed successful parallel, nan pursuing is done successful a caller thread utilizing its ain socket. SparrowDoor sends an acknowledgment connection pinch nan aforesaid ID arsenic nan original command; nan assemblage of this connection contains nan unsocial ID of nan victim. Command ID 0x32341139 is past sent by nan server to really initiate nan proxy. The proxy functionality is achieved by creating 2 caller sockets, 1 connected to nan C&C server and different connected to an reside and larboard provided by nan server connected that caller connection. SparrowDoor past uses a brace of Winsock structures and events to support way of incoming packets and relay them betwixt nan 2 parties. The summation of proxy functionality to SparrowDoor whitethorn beryllium a hint that nan group is pursuing nan inclination of China-aligned threat actors building and utilizing operational relay container (ORB) networks.

Modular SparrowDoor

The modular type of SparrowDoor is importantly different from nan erstwhile ones. On nan web connection side, nan bid header is sent separately from nan assemblage and that information is RC4 encrypted pinch nan hardcoded cardinal iotrh^%4CFGTj. The civilization classes utilized for web connection successful this type still usage Winsock TCP sockets and are very akin to those we mentioned antecedently – nan astir notable quality being that nan kid people is deceptively named CShttps alternatively of CTcpSocket. As seen successful Table 3, of nan commands coming successful erstwhile versions of SparrowDoor, this 1 only implements nan commands that subordinate to managing nan C&C configuration and uninstalling nan backdoor. Information astir nan big instrumentality is sent automatically aft nan first relationship connection and includes a database of installed information products successful summation to what was sent successful erstwhile versions.

All of nan different commands are related to nan handling of plugins. We judge that nan removed functionality has simply been moved to 1 aliases much modules. While we person yet to observe immoderate specified plugin, we tin stock insights based connected our study of nan codification that implements this functionality.

Table 3. Commands implemented successful nan modular type of SparrowDoor

Plugins

Installed plugins are referenced via a modular C++ list; each introduction consists of a bitmask and a handler usability address. The bitmask is utilized to find which bid IDs are handled by nan plugin and corresponds to nan debased nibble of nan 3rd byte of nan bid ID (i.e., CommandID & 0xF0000).

This type of SparrowDoor tin usage 5 different bid IDs to invoke plugin commands. Of those, 3 (0x3A76, 0x3A77, and 0x3A7B) travel almost precisely nan aforesaid way successful nan codification – nan only quality being nan consequence ID of nan acknowledgment message. There are immoderate very insignificant differences successful nan handshake process betwixt this group of commands and nan different two. However, successful each cases, nan bid is parallelized utilizing nan aforesaid method we described successful nan Commands section. On nan caller socket, nan backdoor sends nan corresponding consequence ID, nan unsocial big ID, and nan information it initially received from nan C&C server. This information appears to usability for illustration nan cognition ID mentioned successful nan File operations section. After this handshake is completed, each 5 commands telephone nan aforesaid usability to really grip nan plugin command. This usability receives nan bid ID and information from nan C&C server, past iterates done installed plugins to dispatch nan bid to nan correct handler. The process is repeated until nan backdoor receives an incorrectly formatted bid message.

By default, only 1 plugin, pinch a bitmask of 0x10000, is installed. This plugin handles nan installation of caller plugins sent by nan C&C server. Plugins are sent by nan server arsenic PE files and are ne'er stored connected disk. Coupled pinch nan reduced usability group coming successful nan guidelines backdoor, this is astir apt meant to evade detection. After specified a plugin is received, it is manually mapped successful representation and its fmain export is called. This usability returns a pointer to a building containing nan reside of a usability that returns nan bitmask for nan plugin and nan reside of nan handler function. If nary installed plugin has nan aforesaid bitmask, nan recently received plugin is added to nan list.

Links to erstwhile versions

We person besides identified older samples that coming important codification overlaps pinch this modular version, including akin codification to grip plugins. These samples correspond to nan backdoor that Trend Micro named HemiGate successful an August 2023 article. Some of nan samples moreover usage nan aforesaid RC4 cardinal mentioned successful that article. Rather than being sent by nan C&C, plugins are implemented arsenic C++ classes inheriting from an absurd people named PluginInterface. These plugins travel nan aforesaid shape described successful nan erstwhile paragraph: they person a method that returns a bitmask, utilized to dispatch commands, and a 2nd method to grip commands. We judge that HemiGate represents an earlier measurement successful nan improvement of nan modular backdoor. Thus, it is apt that nan plugins contained therein are typical of those utilized successful nan much caller modular version. Table 4 presents an overview of nan plugins and their functionality.

Table 4. Summary of plugins contained successful HemiGate

These similarities are grounds that nan cluster we way arsenic FamousSparrow astatine slightest partially overlaps pinch Earth Estries. Since HemiGate pre-dates some versions of SparrowDoor elaborate earlier successful this report, it whitethorn besides beryllium an denotation that nan modular and nan parallelized versions of SparrowDoor are being developed successful parallel.

ShadowPad

After SparrowDoor was detected successful nan US victim’s network, it was utilized to execute an MFC-based loader base similarities to nan ShadowPad loaders previously documented by Cisco Talos.

This ShadowPad loader is simply a DLL named imjpp14.dll, meant to beryllium loaded via DLL side-loading by nan more-than-14-year-old, legitimate, outdated type of nan Microsoft Office IME executable, imecmnt.exe, renamed to imjp14k.exe. The loader first checks whether its existent process is nan expected side-loading big by performing shape matching astatine offset 0xE367 in-memory. Once this validation succeeds, nan malicious DLL decrypts nan record named imjp14k.dll.dat that is located successful nan aforesaid directory arsenic nan DLL and its side-loading host. Finally, nan decrypted payload is injected into a wmplayer.exe process (Windows Media Player).

Even though we did not retrieve nan encrypted payload, an in-memory ShadowPad discovery occurred successful a wmplayer.exe process, pinch impjp14k.exe arsenic its genitor process. Furthermore, it connected to a ShadowPad C&C server (IP: 216.238.106[.]150). While we didn’t observe immoderate ShadowPad sample utilizing it, 1 of nan SparrowDoor C&C servers had a TLS certificate matching a known ShadowPad fingerprint.

Additionally, we detected ShadowPad loaders and nan ShadowPad backdoor successful representation connected respective machines successful nan victim’s network.

Note that this is nan first clip we person observed FamousSparrow making usage of nan ShadowPad backdoor.

Other tools

During nan compromise, successful summation to nan various malware mentioned above, we besides observed nan pursuing being utilized by nan threat actor:

• A basal batch book that dumps nan registry pinch nan pursuing commands:
  • reg prevention HKLM\SYSTEM C:\users\public\sys.hiv,
  • reg prevention HKLM\SAM C:\users\public\sam.hiv, and
  • reg prevention hklm\security C:\users\public\security.hiv.
• Impacket aliases NetExec, detected by our firewall, but we person not collected immoderate of nan commands.
• A loader for a type of nan open-source Spark RAT that was modified to see codification from an open-source Go shellcode loader.

We besides noticed nan usage of a instrumentality to dump LSASS representation pinch nan undocumented MiniDumpW API function. This instrumentality is divided into 2 DLLs stored connected disk arsenic %HOME%\dph.dll and %WINDIR%\SysWOW64\msvc.dll. The second is astir apt meant to blend successful pinch nan morganatic libraries for Microsoft Visual C++ (MSVC) that are stored successful nan aforesaid directory. The erstwhile is loaded via a morganatic type of VLC’s Cache Generator (vlc-gen-cache.exe), renamed to dph.exe, and imports functions from nan latter. Since VLC plugins tin beryllium autochthonal DLLs, its cache generator people contains codification to load and execute specified libraries.

Network infrastructure

The ShadowPad C&C server uses a self-signed TLS certificate, pinch a SHA-1 fingerprint of BAED2895C80EB6E827A6D47C3DD7B8EFB61ED70B, that attempts to spoof those utilized by Dell. This follows nan format that was described by Hunt Intelligence successful an article from February 2024. While this shape tin beryllium utilized to way ShadowPad servers, it is not linked to immoderate circumstantial threat actor. One of nan C&C servers utilized by SparrowDoor (45.131.179[.]24:80) had a TLS certificate, connected larboard 443, pinch nan aforesaid Common Name (CN) arsenic nan certificate utilized by nan aforementioned ShadowPad C&C server. This server is besides nan only 1 that was coming successful some versions of SparrowDoor.

We observed 3 unsocial SparrowDoor C&C servers successful this campaign, each of which utilized larboard 80. The modular sample was configured pinch amelicen[.]com arsenic its 3rd C&C server. When nan sample was first detected, this domain pointed to nan IP reside mentioned successful nan erstwhile paragraph. One of nan C&C servers configured successful nan modular sample (43.254.216[.]195:80) was besides utilized by nan SparrowDoor loader. This is strange, since SparrowDoor uses plain TCP and nan files were downloaded complete HTTP. However, location is simply a spread of almost 2 weeks betwixt nan downloads, connected June 30, 2024, and nan compilation of nan modular SparrowDoor, connected July 12, 2024. We do not cognize whether nan work listening connected that larboard was changed betwixt those 2 occurrences aliases whether nan SparrowDoor C&C server includes functionality to service files complete HTTP.

Conclusion

Due to nan deficiency of activity and nationalist reporting betwixt 2022 and 2024, FamousSparrow was presumed to beryllium inactive. However, our study of nan US web compromised successful July 2024 revealed 2 caller versions of SparrowDoor, showing that FamousSparrow is still processing its flagship backdoor. One of these caller versions was besides recovered connected a instrumentality successful Mexico. As we were mounting up search based connected what is covered successful this blogpost, we uncovered further activity by nan group during this period, including nan targeting of a governmental institution successful Honduras. This recently recovered activity indicates that not only is nan group still operating, but it was besides actively processing caller versions of SparrowDoor during this time.

We will proceed to show and study connected activity by FamousSparrow, and will besides proceed to travel nan chat surrounding imaginable links betwixt FamousSparrow and Salt Typhoon.

For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com. 

ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.

IoCs

Files

Network

MITRE ATT&CK techniques

This array was built utilizing version 16 of nan MITRE ATT&CK framework.