ESET researchers have recently uncovered ongoing operations and an advanced toolkit associated with the China-aligned Advanced Persistent Threat (APT) group known as FamousSparrow, also referred to as Salt Typhoon.
This investigation was sparked by unusual activity detected in July 2024 within a financial trade group operating in the United States. The findings reveal that FamousSparrow has been intensively developing its malicious capabilities. Notably, evidence emerged linking this group to simultaneous breaches of a research institute in Mexico and a government entity in Honduras, indicating an expansion in their targeting strategy.
This investigation also marks the first documented incident of FamousSparrow leveraging ShadowPad, a stealthy backdoor notably provided exclusively to actors with ties to Chinese interests. This development raises concerns regarding the evolving nature of their cyber-espionage techniques.
Additionally, the analysis disclosed the use of two newly identified variants of SparrowDoor, the group’s signature malware. One variant closely resembles the “CrowDoor” backdoor, identified as a tool attributed to the Earth Estries APT group, while the other displays a modular structure, diverging from previous iterations of SparrowDoor.
ESET researchers commented that these findings suggest ongoing enhancements to SparrowDoor rather than a departure toward a distinct malware family. The attack chain initiated with the introduction of a webshell on an Internet Information Services (IIS) server. Researchers speculate the exploitation of vulnerabilities in outdated Windows Server and Microsoft Exchange versions, supported by the availability of various public exploits targeting these systems. The attackers employed a mix of custom malware along with tools shared by China-aligned APTs, culminating in the implementation of both SparrowDoor and ShadowPad.
The attackers accessed target systems through a batch script downloaded from a remote server, deploying a .NET webshell that facilitated remote PowerShell sessions, information gathering, and privilege escalation through publicly available exploits integrated within the PowerHub framework. The attack concluded with a sophisticated method, referred to as a “trident loading scheme,” to execute SparrowDoor, utilizing a legitimate antivirus executable for DLL side-loading. Notably, this campaign revealed three distinct SparrowDoor command-and-control servers, all operating over port 80.
The latest iterations of SparrowDoor exhibit advanced technical features, including parallel command processing and a plugin-based architecture designed for dynamic functionality expansion. While ESET researchers have not yet observed any active plugins, their code analysis indicates that this modularity aims to elude detection by reducing the backdoor’s overall traceability.
While researchers recognize partial code overlaps between SparrowDoor and HemiGate, another tool linked to Earth Estries, they assert that these similarities may better be attributed to a shared resource providing necessary tools or infrastructure rather than an indication of combined operations between these groups. This ongoing analysis underscores the sophisticated tactics employed by the FamousSparrow group, reflecting the persistent threat they pose to organizations across various sectors.