Full Report
The Chinese threat actor known as FamousSparrow has been linked to a cyber attack targeting a trade group in the United States and a research institute in Mexico to deliver its flagship backdoor SparrowDoor and ShadowPad. The activity, observed in July 2024, marks the first time the hacking crew has deployed ShadowPad, a malware widely shared by Chinese state-sponsored actors. "FamousSparrow
Analysis Summary
# Threat Actor: FamousSparrow
## Attribution & Identity
Attributed to a Chinese threat actor/collective. Known to exclusively use the SparrowDoor backdoor. Has tactical overlaps noted with groups tracked as Earth Estries, GhostEmperor, and Salt Typhoon, though ESET treats FamousSparrow as a distinct group with loose links to Earth Estries.
## Activity Summary
Observed conducting cyber attacks in July 2024 targeting a trade group in the United States and a research institute in Mexico. This activity marked the debut deployment of ShadowPad by the crew alongside new variants of their flagship SparrowDoor backdoor. Historical activity documented since September 2021 targeting hotels, governments, engineering companies, and law firms.
## Tactics, Techniques & Procedures
- Initial access involved deploying a web shell on an Internet Information Services (IIS) server (precise mechanism unknown).
- Used a batch script dropped from a remote server.
- Deployed a Base64-encoded .NET web shell to deploy the final payloads.
- Deployed two previously undocumented variants of the SparrowDoor backdoor, one being modular.
- New SparrowDoor variants exhibit performance improvements, including parallelization of commands, allowing time-consuming operations (like file I/O and interactive shell) to execute concurrently.
- SparrowDoor C2 communication: Upon receiving a relevant command, the malware creates a new thread to initiate a connection to the C&C server, sending the victim ID and command ID to logically track sub-commands related to the initial connection/victim.
- Commands supported include starting a proxy and launching interactive shell sessions.
## Targeting
- Sectors: Trade organization, research institute, historically: hotels, governments, engineering companies, law firms, telecom sector (overlap with other tracked clusters).
- Geography: United States, Mexico.
- Victims: A trade group in the U.S. and a research institute in Mexico (July 2024).
## Tools & Infrastructure
- Malware families used: SparrowDoor (new variants deployed), ShadowPad (first time observed deployment).
- Infrastructure: Relied on a remote server to drop batch scripts. C2 communication established via new threads opened by the compromised host. (No specific IPs or domains defanged in the provided text).
## Implications
FamousSparrow is demonstrating capability evolution with modular and parallelized backdoor variants, showcasing advanced coding practices comparable to other established espionage groups. The deployment of ShadowPad suggests increasing technical sophistication or resource sharing with Chinese state-sponsored actors. Their continued targeting of sensitive sectors across North America signals persistent espionage objectives.
## Mitigations
- Patch outdated versions of Windows Server and Microsoft Exchange Server, as victims were running outdated software.
- Focus on monitoring and securing IIS servers for suspicious web shell deployment.
- Implement robust endpoint detection and response capable of identifying execution anomalies related to batch scripts or .NET-based web shells.
- Investigate potential C&C communication patterns indicative of new SparrowDoor thread-creation behavior.