FamousSparrow Cyber Threat Evolves with New SparrowDoor and ShadowPad Deployment

Greetings from the SOC floor. Our feeds have been buzzing lately with news about the Chinese threat actor known as FamousSparrow. While not a brand-new face, their recent activity, observed specifically in July 2024, shows notable evolutions that we in security operations need to be aware of. They’ve been linked to attacks on a trade group in the United States and a research institute in Mexico. This latest campaign is especially interesting because it marks the first time they’ve been seen deploying ShadowPad, a backdoor widely associated with Chinese state-sponsored actors.

Overview

FamousSparrow was first brought to light by ESET in September 2021, targeting sectors like hotels, governments, engineering companies, and law firms. Their signature tool has always been the SparrowDoor implant. However, in this latest round of attacks, ESET identified two previously undocumented versions of the SparrowDoor backdoor. According to ESET, these new versions represent “considerable progress” over previous iterations.

Initial Attack Vector

The observed attack chain typically involves the threat actor first deploying a web shell on an Internet Information Services (IIS) server. The exact method for achieving this initial compromise isn’t specified in the report, but it’s noted that the targeted victims were running outdated versions of Windows Server and Microsoft Exchange Server, which is a common vector we see exploited.

Evolution of SparrowDoor

New Features

Let’s talk about the malware itself. One of the new SparrowDoor versions is said to resemble an older backdoor called Crowdoor, but it features significant improvements. Crucially, both new SparrowDoor variants implement parallelization of commands. This means the backdoor can execute time-consuming tasks, such as file I/O or running an interactive shell, simultaneously.

Capabilities

• Starting proxies
• Launching interactive shell sessions
• File operations and file system enumeration
• Host information gathering
• Self-uninstallation

Modular Version

The second new version of SparrowDoor is described as modular and significantly different from older artifacts. It uses a plugin-based approach to achieve its objectives. This modular variant supports at least nine different plugins:

• Cmd: Executes a single command.
• CFile: Performs file system operations.
• CKeylogPlug: Logs keystrokes.
• CSocket: Launches a TCP proxy.
• CShell: Starts an interactive shell session.
• CTransf: Handles file transfers between the compromised host and the C&C server.
• CRdp: Takes screenshots.
• CPro: Lists running processes and can terminate specific ones.
• CFileMoniter: Monitors file system changes in specified directories.

Detection and Monitoring

From a detection standpoint, the use of web shells on IIS servers is a critical initial indicator. Monitoring for newly deployed or modified web files, unusual outgoing connections from IIS servers, and the execution of suspicious batch scripts or encoded commands are key. The behavior of the new SparrowDoor variants, particularly their ability to create multiple C&C connections for parallel tasks, is also something to watch for in network traffic analysis.

Remediation and Recommendations for Cybersecurity Teams

Patching and Updates

• Ensure all systems, especially Windows Server and Microsoft Exchange Server, are up-to-date with the latest security patches.
• Engage in regular vulnerability assessments to identify and mitigate threats.

Monitoring and Detection

• Continuously monitor IIS server logs for anomalies indicative of a web shell presence.
• Deploy advanced intrusion detection systems (IDS) to alert on suspicious activities.

Employee Training

• Conduct regular training sessions to raise awareness of phishing and social engineering tactics used by threat actors.
• Implement strict access controls based on the principle of least privilege.

While FamousSparrow’s tactics overlap with other clusters like Earth Estries, GhostEmperor, and Salt Typhoon, ESET is currently treating FamousSparrow as a distinct threat group, albeit with some loose connections to Earth Estries based on similarities with other malware like Crowdoor and HemiGate. The continued development and deployment of new SparrowDoor versions, along with the adoption of ShadowPad, indicate that FamousSparrow is still actively operating and evolving their toolset. Staying ahead means keeping systems patched, implementing strong monitoring for web shell activity, and understanding the capabilities of their latest backdoor variants. This intelligence helps us build better detection rules and improve our response capabilities.