FamousSparrow as nicknamed by the cybersecurity firm ESET has been attributed as being responsible for strings of attacks against hotels across the world, government international organizations and law firms worldwide. This has been said to be active since August 2019 with victims spreading across Africa, Asia, Europe and the Middle East with countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., and Israel.
The attacks have been noticed to exploit vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the ProxyLogon remote code execution vulnerability in Microsoft Exchange Server that came to light in March 2021, making it the latest threat actor to have had access to the exploit before details of the flaw became public.
According to ESET, intrusions exploiting the flaws commenced on March 3, resulting in the deployment of several malicious artifacts, including two bespoke versions of Mimikatz credential stealer, a NetBIOS scanner named Nbtscan, and a loader for a custom implant dubbed SparrowDoor.
Installed by leveraging a technique called DLL search order hijacking, SparrowDoor functions as a utility to burrow into new corners of the target’s internal network that hackers also gained access to execute arbitrary commands as well as amass and exfiltrate sensitive information to a remote command-and-control (C2) server under their control.
While ESET didn’t attribute the FamousSparrow group to a specific country, it did find similarities between its techniques and those of SparklingGoblin, an offshoot of the China-linked Winnti Group, and DRBControl, which also overlaps with malware previously identified with Winnti and Emissary Panda campaigns.
“This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” ESET researchers Tahseen Bin Taj and Matthieu Faou said