A cyber-espionage group dubbed “Famous Sparrow” by researchers has taken off, targeting hotels, govts. & Private organisations around the world with a custom backdoor called, appropriately, “Sparrow Door.”
A custom “Sparrow Door” backdoor has allowed the attackers to collect data from targets around the globe.
It’s one of the advanced persistent threats (APTs) that targeted the Proxy Logon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light.
Says the firm, the backdoor’s malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size & file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell.
There’s also a kill switch to remove persistence settings & all Sparrow Door files from the victim machines.
“The targeting, which includes govts. worldwide, suggests that Famous Sparrow’s intent is espionage,” researchers noted.
Proxy Logon Exploits
The Proxy Logon remote code execution (RCE) bug was disclosed in March, & was used by more than 10 APT groups to establish access via shellcode to Exchange mail servers worldwide in a number of attacks. According to ESET telemetry, Famous Sparrow started to exploit the vulnerabilities the day following Microsoft’s release of a patch for the problem.
In Famous Sparrow’s case, it used the bug to deploy Sparrow Door, which has been seen in other attacks (many of them against hotels), according to ESET. These additional campaigns have occurred both before & after Proxy Logon, & date back to Aug. 2019, researchers noted.
Where they were able to determine the initial compromise source, researchers found that Famous Sparrow’s go-to method appears to be the exploitation of vulnerable internet-facing web applications.
“We believe Famous Sparrow exploited known remote code-execution vulnerabilities in Microsoft Exchange (including Proxy Logon in March 2021), Microsoft SharePoint & Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” according to ESET researchers.
They added, “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”
Once a target is compromised, Famous Sparrow infects the victim with a range of custom tools, according to ESET’s analysis, released on Thurs. These include:
- A Mimikatz variant for lateral movement
- A small utility that drops ProcDump on disk & uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials
- Nbtscan, a NetBIOS scanner for identifying files & printers across a LAN
- A loader for the Sparrow Door backdoor
The loader installs Sparrow Door via DLL search order hijacking, researchers noted.
“The legitimate executable, Indexer.exe, requires the library K7UI.dll to operate,” they explained.
“Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded.”
Persistence is set through the registry Run key & a service that’s created & started using XOR-encrypted configuration data hardcoded in the binary, according to the writeup. Then, the malware establishes encrypted TLS connections to a command-&-control (C2) server on port 433, which can be proxied or not.
The malware then achieves privilege escalation by adjusting the access token of the Sparrow Door process to enable SeDebug Privilege, which is a legitimate Windows utility that’s used to debug processes on computers other than one’s own.
An attacker with SeDebug Privilege can “debug processes owned by System, at which point they can inject code into the process & perform the logical equivalent of net local group administrators anybody/add, thereby elevating themselves (or anybody else) to administrator,” according to a Microsoft writeup.
After that, Sparrow Door sniffs out & sends the victim’s local IP address, a Remote Desktop Services session ID associated with the backdoor process, username & computer name to the C2, & waits for commands in return, in order to start its espionage campaign.
Famous Sparrow mainly targets hotels, but ESET observed targets in other sectors, including govts., international organisations, engineering companies & law firms.
The group has really come out of its shell: Attacks have been scattered globally, aimed at targets in Brazil, Burkina Faso, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, South Africa, Taiwan, Thailand & the United Kingdom, according to the firm.