ESET researchers claim to have discovered a new group of highly persistent threats (APT) of cyber spying activities targeting governments, hotels, engineering companies, law firms, and various other sectors around the world. increase.
The group, called “Famous Sparrow,” is believed to have been active since at least 2019, with the majority of victims in Europe, the United Kingdom, Saudi Arabia, Israel, Taiwan, Brazil, Canada, Guatemala and Burkina Faso.
Researchers first noticed the group’s activities earlier this year while reviewing telemetry data during the survey. They observed that Famous Sparrow was exploiting a bug in Microsoft Exchange known as ProxyLogon, which was published in March 2021.
Famous Sparrow appears to be independent of other active APTs, but researchers have observed overlap with other groups.
In one case, researchers discovered a threat actor using a command-and-control (C2) server linked to the DRD Control APT to set up an exploit tool.
Group operatives also utilized a variant of the loader known to have been adopted by another group named Sparkling Goblin.
However, FamousSparrow is the only known APT currently using a custom backdoor called SparrowDoor by ESET researchers.
An attacker deploys this backdoor through a technique called loader and DLL search order hijacking.
When deployed, the backdoor establishes a link to the attacker’s C2 due to a data breach.
SparrowDoor‘■ Malicious features include features such as creating directories, deleting or renaming files, shutting down processes, sending details such as file size and file write time. You can also write data to a specified file or steal specified content. File to the attacker and establish an interactive reverse shell.
In particular, it also has a persistence setting and a kill switch that removes all Sparrow Door files from the victim‘s system.
Famous Sparrow has been observed to primarily target hotels, but it also launches attacks on other popular APT targets such as governments and international organizations.
“I believe their main motive is espionage,” said fellow ESET researcher Matthieu Faou, who unmasked his colleagues Tahseen Bin Taj and Famous Sparrow.
“Hotels are a major target for the APT Group because they allow attackers to collect data about their target’s mobility habits. They also compromise the hotel’s Wi-Fi infrastructure and spy on unencrypted network traffic. There is a possibility. “
According to researchers, the latest revelation about Famous Sparrow is even more reminiscent of organizations patching Internet applications as soon as possible.
If your administrator can’t patch your software right away, at least don’t publish your app to the internet.
The newly unmasked “Famous Sparrow” APT Group targets hotels and governments around the world
Source link The newly unmasked “Famous Sparrow” APT Group targets hotels and governments around the world