FamousSparrow hatches two new backdoor variants in latest campaign

Cybersecurity researchers have revealed that in July 2024, the China-linked threat actor FamousSparrow targeted a U.S. trade association and a Mexican research institute. FamousSparrow deployed enhanced versions of their SparrowDoor backdoor alongside ShadowPad, a malware commonly associated with Chinese state-sponsored actors.

In the campaign, FamousSparrow introduced two new SparrowDoor variants. One resembles Crowdoor, another backdoor linked to Chinese-speaking threat actors, while both exhibit significant enhancements over earlier versions.

Most noteworthy is their ability to execute time-intensive commands—such as file operations and interactive shell sessions—in parallel, allowing the backdoor to process new instructions concurrently with ongoing tasks. This upgrade makes these variants more efficient at maintaining persistence and executing attacker-controlled actions on compromised systems.

Stay on top of emerging threats.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

The attack sequence from July involved deploying a web shell on an Internet Information Services (IIS) server, though the exact method of initial access remains undetermined. The compromised servers were running outdated versions of Windows Server and Microsoft Exchange Server, which may have facilitated the intrusion.

The SparrowDoor backdoor communicates with its command-and-control (C2) server using encrypted HTTP requests, allowing it to blend in with normal web traffic and evade detection. It periodically reaches out to the C2 server to receive new commands, which include file operations, executing system commands, and establishing interactive shell sessions.

Source: The Hacker News

Analysis

FamousSparrow has been active since at least 2019 and has a history of infiltrating hotels, government agencies, engineering firms, and law offices across countries such as Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.

The targeting of a U.S. trade association in July 2024 is interesting given the current trade war between China and the U.S. It’s possible that even as early as July 2024, China was concerned about potential tariffs being placed on Chinese goods if President Trump was re-elected, so it launched this campaign to gather relevant intelligence. On the other hand, it’s entirely possible that this is just a coincidence.

The exact attack vector FamousSparrow used in this campaign is unknown. However, it’s possible that the group used a recent technique observed by Microsoft in which the threat actor takes advantage of developers who use static ASP.NET machine keys found online to create and send malicious ViewStates to a target server, allowing the threat actor to remotely execute code on the underlying IIS server.

Mitigation

Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for emerging threats emanating from China-linked threat actors like FamousSparrow. Field Effect MDR users are automatically notified if activity associated with these groups is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.

Related Articles

• China-linked threat actor deploys backdoors, rootkits on Junos OS routers
• New details reveal Salt Typhoon used leaked creds in telecom attack
• U.S. confirms politicians targeted in Salt Typhoon telecom breach