430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

APT

New FamousSparrow APT group used ProxyLogon exploits in its attacks

Researchers spotted a new cyberespionage group, dubbed FamousSparrow, that used ProxyLogon exploits to target hotels worldwide. Researchers from ESET discovered a new cyberespionage group, tracked as FamousSparrow, that has been targeting hotels worldwide around the world since at least 2019. The group also hit higher-profile targets such as law firms, governments, and private companies worldwide. According […]

FamousSparrow Figure-1.-Geographic-distribution-of-FamousSparrow-targets-1024x788

Researchers spotted a new cyberespionage group, dubbed FamousSparrow, that used ProxyLogon exploits to target hotels worldwide.

Researchers from ESET discovered a new cyberespionage group, tracked as FamousSparrow, that has been targeting hotels worldwide around the world since at least 2019. The group also hit higher-profile targets such as law firms, governments, and private companies worldwide.

According to the experts the group focuses on cyber espionage operations.

Telemetry data revealed that the APT group exploited Microsoft Exchange ProxyLogon vulnerabilities since March 3, 2021, only one day after Microsoft released security patches for them.

FamousSparrow group employed a custom backdoor, dubbed SparrowDoor in its attacks, along with two custom versions of Mimikatz.

Experts also found connections between FamousSparrow and other APT groups, such as the SparklingGoblinand the DRBControl cyberespionage group.

The APT group has targeted victims from Europe (France, Lithuania, the UK), the Middle East (Israel, Saudi Arabia), the Americas (Brazil, Canada, Guatemala), Asia (Taiwan), and Africa (Burkina Faso).

FamousSparrow Figure-1.-Geographic-distribution-of-FamousSparrow-targets-1024x788

“In a few cases, we were able to find the initial compromise vector used by FamousSparrow and these systems were compromised through vulnerable internet-facing web applications. We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples.” reads the analysis published by ESET.

Once compromised the target network, the group deployed custom tools such as a Mimikatz variant, a small utility to harvest memory contents by dumping the Windows LSASS process, and the loader for the SparrowDoor backdoor.

The backdoor supports different malicious actions:

Command IDAction
0x1C615632The current process is closed.
0x1DE15F35A child svchost.exe process is spawned with processToken information of the process (Process ID) specified by the C&C server, with argument -d and then the shellcode is injected into the process.
0x1A6B561AA directory is created using the name provided by the C&C server.
0x18695638A file is renamed. Both the file to be renamed and the new name are provided by the C&C server.
0x196A5629A file is deleted, as specified in the incoming data.
0x17685647If length of the data is 1, and the data matches $, then the length of systemInfoHash along with an array of drive types are sent.

If length of the data is greater than 2 and the first 2 bytes of data match $\, then information about the files in a specified directory is sent. The information included is the following: file attributes, file size and file write time.
0x15665665A new thread is created to exfiltrate the content of a specified file.
0x16675656If the kill switch is activated, the current persistence settings (registry and service) are removed and the Indexer.exe file is executed (to restart the dropper). If not, the backdoor loop is restarted.
0x14655674A new thread is created to write the data to a specified file.
0x12635692If the kill switch is activated, the persistence settings are removed, and all the files used by SparrowDoor (Indexer.exe, K7UI.dll and MpSvc.dll) are removed. If not, the backdoor loop is restarted.
0x13645683If the data matches “switch ”, then the backdoor is restarted with the -d switch.

If not, it spawns a cmd.exe shell, and sets up named pipes for input and output (used by the C&C server) to establish an interactive reverse shell.

If the data matches Exit\r\n, then the spawned shell is terminated.
OtherRestarts the backdoor loop.

“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera.” concludes ESET. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]