Tracking FamousSparrow’s July 2024 Cyber Activity and Threat Evolution

Greetings from the SOC floor. Our feeds have been buzzing lately with news about the Chinese threat actor known as FamousSparrow. While not a brand-new face, their recent activity, observed specifically in July 2024, shows some notable evolutions that we in security operations need to be aware of. They’ve been linked to attacks on a trade group in the United States and a research institute in Mexico. This latest campaign is particularly interesting because it marks the first time they’ve been seen deploying ShadowPad, a backdoor widely associated with Chinese state-sponsored actors.

Overview

FamousSparrow was first brought to light by ESET in September 2021, targeting sectors like hotels, governments, engineering companies, and law firms. Their signature tool has always been the SparrowDoor implant. However, in this latest round of attacks, ESET identified two previously undocumented versions of the SparrowDoor backdoor. According to ESET, these new versions represent “considerable progress” over previous iterations.

Attack Chain

The observed attack chain typically involves the threat actor first deploying a web shell on an Internet Information Services (IIS) server. The exact method for achieving this initial compromise isn’t specified in the report, but it’s noted that the targeted victims were running outdated versions of Windows Server and Microsoft Exchange Server, which is a common vector we see exploited.

Once the web shell is in place, it acts as a conduit to download a batch script from a remote server. This script then launches a Base64-encoded .NET web shell embedded within it. This second-stage web shell is the payload dropper, ultimately responsible for deploying both SparrowDoor and ShadowPad.

SparrowDoor Malware

New Versions

One of the new SparrowDoor versions is said to resemble an older backdoor called Crowdoor, but it features significant improvements. Crucially, both new SparrowDoor variants implement parallelization of commands. This means the backdoor can execute time-consuming tasks, such as file I/O or running an interactive shell, simultaneously.

• Command Execution: Can execute commands parallelly by creating new threads.
• Unique Identifiers: Each thread uses unique victim IDs and command IDs.
• Capabilities: Starting proxies, launching interactive shell sessions, file operations, and more.

The second new version of SparrowDoor is described as modular and significantly different from older artifacts. It uses a plugin-based approach to achieve its objectives.

• Cmd: Executes a single command.
• CFile: Performs file system operations.
• CKeylogPlug: Logs keystrokes.
• CSocket: Launches a TCP proxy.
• CShell: Starts an interactive shell session.
• CTransf: Handles file transfers.
• CRdp: Takes screenshots.
• CPro: Manages running processes.
• CFileMoniter: Monitors file system changes.

Detection Tactics

From a detection standpoint, the use of web shells on IIS servers is a critical initial indicator. Monitoring for newly deployed or modified web files, unusual outgoing connections from IIS servers, and the execution of suspicious batch scripts or encoded commands are key. The behavior of the new SparrowDoor variants, particularly their ability to create multiple C&C connections for parallel tasks, is also something to watch for in network traffic analysis.

Remediation and Recommendations for Cybersecurity Teams

Identifying Web Shells

• Monitor for newly deployed or modified web files on IIS servers.
• Analyse outgoing connections for unusual patterns.

System and Network Security

• Regularly patch systems to fix vulnerabilities, especially on Windows Server and Microsoft Exchange Server.
• Implement strong monitoring for web shell activity.

Training and Policy Implementation

• Conduct regular employee training on identifying phishing attempts and unusual commands.
• Develop and enforce incident response plans tailored to your environment.

The continued development and deployment of new SparrowDoor versions, along with the adoption of ShadowPad, indicate that FamousSparrow is still actively operating and evolving their toolset. Staying ahead means keeping systems patched, implementing strong monitoring for web shell activity, and understanding the capabilities of their latest backdoor variants. This intelligence helps us build better detection rules and improve our response capabilities.