ESET Unveils SparrowDoor Variants Targeting US, Mexico

Cybersecurity firm ESET identified two new variants of the SparrowDoor backdoor deployed in cyberattacks by FamousSparrow, both made last July 2024. The targets included a trade group in the United States and a research institute in Mexico, marking the first documented use of the ShadowPad malware by the group.

“FamousSparrow deployed two previously undocumented versions of the SparrowDoor backdoor, one of them modular,” ESET reports. “Both versions constitute considerable progress over previous ones and implement parallelization of commands.”

FamousSparrow is a Chinese-linked threat group first identified in September 2021 by ESET. The group has been associated with cyber intrusions targeting sectors such as hospitality, government, legal, and engineering. Its operations are characterized by the use of the SparrowDoor implant, a backdoor exclusively tied to the group. While ESET acknowledges overlapping tactics with other threat actors like Earth Estries and GhostEmperor, it continues to categorize FamousSparrow as a separate entity, citing distinctions in toolsets such as Crowdoor and HemiGate.

The recent campaign involved breaching vulnerable Internet Information Services (IIS) servers to deploy a web shell, reports The Hacker News. Although the initial access method remains unknown, both victims were reportedly operating outdated versions of Windows Server and Microsoft Exchange Server. Once the web shell was established, it retrieved a remote batch script to activate a Base64-encoded .NET web shell. This payload enabled the installation of both SparrowDoor and ShadowPad malware components.

One of the new SparrowDoor variants mimics Crowdoor but introduces substantial upgrades. These include parallel processing of commands, enabling simultaneous execution of tasks such as file input/output operations and interactive shell sessions. “When the backdoor receives one of these commands, it creates a thread that initiates a new connection to the C&C server. The unique victim ID is then sent over the new connection along with a command ID indicating the command that led to this new connection,” says Alexandre Côté, Malware researcher, ESET. 

This architecture allows the command-and-control server to associate multiple threads with a single victim. The backdoor supports functionalities including file enumeration, proxy initiation, host information gathering, interactive shell access, and self-uninstallation.

The second identified version adopts a modular structure with plugin-based capabilities. It incorporates up to nine distinct modules, each with specific functions:

• Cmd: Execute single commands

• CFile: File system operations

• CKeylogPlug: Keystroke logging

• CSocket: TCP proxy setup

• CShell: Interactive shell access

• CTransf: File transfer between host and C&C server

• CRdp: Screenshot capture

• CPro: Process listing and termination

• CFileMoniter: File system monitoring

This modular architecture allows greater flexibility and scalability for conducting various types of surveillance and data exfiltration.

The deployment of ShadowPad suggests evolving collaboration or tool sharing between cyber espionage groups, says ESET. The emergence of these new SparrowDoor variants, particularly the modular version, signifies an increased risk to organizations operating outdated software environments. The continued use of known exploits in Microsoft products also underscores persistent vulnerabilities in enterprise systems with unpatched legacy components.

Further monitoring is expected to track the deployment of these variants across additional targets and geographies.