The Chinese threat actor, known as a celebrity, is linked to cyberattacks targeting US trade groups and Mexican laboratories, offering flagship backdoor pollow doors and shadow pads.
The activity, observed in July 2024, is the first time a hacking crew has deployed ShadowPad, a malware widely shared by Chinese state-sponsored actors.
“The famous Parrow has deployed two undocumented versions of the Sparrow Door Backdoor. “Both versions constitute a significant advancement over the previous versions and implement command parallelization.”
FamoussParrow was first documented in September 2021 by Slovak Cybersecurity Company in connection with a series of cyberattacks targeting Sparrowdoor hotels, governments, engineering companies and law firms used by the group.
Since then, there have been reports of tactical overlap of hostile groups with Earth Astery, Ghost Empera and clusters tracked as the most notable salt typhoon.
However, ESET pointed out that it treats it as a well-known threat group with loose links to the Earth due to its similarities between Claudsoor and Hemigate.
The attack chain includes threat actors that deploy web shells to Internet Information Services (IIS) servers, but the exact mechanism used to achieve this is still unknown. Both victims are said to be running outdated versions of Windows Server and Microsoft Exchange Server.
The web shell acts as a conduit to drop batch scripts from a remote server, launching a base64 encoded .NET web shell embedded within it. This web shell will ultimately be responsible for the deployment of Sparrowdoor and Shadowpad.
According to ESET, one of the Sparrowdoor versions is similar to Crowdoor, but both variations have been significantly improved over their predecessors. This includes the ability to simultaneously execute time-consuming commands such as file I/O and interactive shells, allowing the backdoor to process incoming instructions while it is running.
“When the backdoor receives one of these commands, it creates a thread that initiates a new connection to the C&C server,” says security researcher Alexandre Cometé Cyr. “The unique victim ID is then sent over the new connection, along with a command ID indicating the command that led to this new connection.”
“This allows the C&C server to track which connections are related to the same victim and their purpose. Each of these threads can handle a specific set of subcommands.”
Sparrowdoor features a wide range of commands that allow you to launch a proxy, launch an interactive shell session, perform file operations, enumerate file systems, gather host information, and uninstall itself.
In contrast, the second version of the backdoor is modular and is significantly different from other artifacts, employing a plugin-based approach to achieve its goals. Supports up to 9 different modules –
cmd-execute single command cfile-execute filesystem operations
“This newly discovered activity shows that the group was not only still operating, but also actively developing new versions of Sparrow Door during this period,” ESET said.
Source link
