FamousSparrow is connected to a cyberattack that targeted a Mexican research institute and a trade association in the United States. The threat actor launches a web shell on an Internet Information Services (IIS) server as part of the attack chain. A Base64-encoded.NET web shell is embedded in the web shell, which serves as a conduit for dropping a batch script from a distant server.
Security researchers at the Slovak cybersecurity firm ESET claim that this web shell is ultimately in charge of deploying SparrowDoor and ShadowPad. Due to similarities with Crowdoor and HemiGate, ESET stated that it treats FamousSparrows as a separate threat group with some loose connections to Earth Estries. According to the security firm, the group was also actively creating new versions of SparrowD Door during this period.
This suggests that the group is still active, but it was also creating new backdoor variations. It was initially reported in September 2021 in relation to a string of cyberattacks using Sparrowdoor, an implant used only by the group, that targeted hotels, governments, engineering firms, and law firms. The specific method employed to accomplish this is still unknown, but according to ESET, the victims were using out-of-date versions of Microsoft Exchange Server and Windows Server.
In contrast to other artifacts, the second version of the backdoor is modular and uses a plugin-based methodology to achieve its objectives. Up to nine different modules are supported:
- Cmd: Execute a single command • CFile: Execute file system functions • CKeylogPlug: Record keystrokes • CSocket: Start a TCP proxy • CShell: Launch an interactive shell window.
.webp%3Fw%3D1068%26resize%3D1068%2C0%26ssl%3D1&w=3840&q=75)