Ethical Hacking News
Two new variants of the SparrowDoor backdoor malware have been discovered by researchers at ESET, which were linked to cyber attacks targeting organizations in the United States and Mexico. The discovery highlights the ongoing evolution of the hacking tactics employed by FamousSparrow and serves as a stark reminder of the ever-present threat landscape in the world of cybersecurity.
The ESET team has identified two new variants of the SparrowDoor backdoor malware linked to cyber attacks targeting US and Mexican organizations.FamousSparrow, a Chinese threat actor, deployed the two new variants during an attack chain in July 2024.The new variants feature significant improvements over their predecessors, including modular design and simultaneous command execution.SparrowDoor allows threat actors to start proxies, launch interactive shell sessions, perform file operations, and uninstall themselves.Victims were running outdated versions of Windows Server and Microsoft Exchange Server.The attack chain involves deploying ShadowPad malware widely shared by Chinese state-sponsored actors.
In a recent development that has sent shockwaves through the cybersecurity community, a team of researchers from ESET has identified two new variants of the SparrowDoor backdoor malware, which has been linked to cyber attacks targeting organizations in the United States and Mexico. The discovery of these new variants marks a significant milestone in the ongoing cat-and-mouse game between threat actors and security professionals.
According to the report shared with The Hacker News, FamousSparrow, a Chinese threat actor known for its sophisticated hacking tactics, deployed the two new variants of SparrowDoor during an attack chain observed in July 2024. The first variant is modular, featuring a plugin-based approach that allows it to realize its goals by leveraging multiple modules. These modules include Cmd, CFile, CKeylogPlug, CSocket, CShell, CTransf, CRdp, CPro, and CFileMoniter, each designed to perform specific functions such as running commands, performing file system operations, logging keystrokes, launching TCP proxies, starting interactive shell sessions, initiating file transfers, taking screenshots, listing running processes, and monitoring file system changes.
The second variant of SparrowDoor resembles Crowdoor but features significant improvements over its predecessor. This includes the ability to simultaneously execute time-consuming commands, such as file I/O and the interactive shell, allowing the backdoor to process incoming instructions while they are being run. The unique victim ID is then sent over a new connection along with a command ID indicating the command that led to this new connection, which enables the C&C server to keep track of which connections are related to the same victim and what their purposes are.
SparrowDoor sports a wide range of commands that allow it to start a proxy, launch interactive shell sessions, perform file operations, enumerate the file system, gather host information, and even uninstall itself. This extensive functionality makes SparrowDoor a formidable tool in the hands of threat actors.
The discovery of these new variants is significant not only because of their sophistication but also because it highlights the ongoing evolution of the hacking tactics employed by FamousSparrow. The group's ability to adapt and develop new tools, such as the modular SparrowDoor backdoor, demonstrates its commitment to staying ahead of security professionals.
ESET notes that FamousSparrow is treating this activity as a distinct threat group with some loose links to Earth Estries stemming from parallels with Crowdoor and HemiGate. The attack chain involves deploying a web shell on an Internet Information Services (IIS) server, which acts as a conduit to drop a batch script from a remote server, ultimately launching a Base64-encoded .NET web shell embedded within it.
The victims of these attacks were said to be running outdated versions of Windows Server and Microsoft Exchange Server. The attack chain also involves the deployment of ShadowPad, a malware widely shared by Chinese state-sponsored actors.
This latest development serves as a stark reminder of the ever-present threat landscape in the world of cybersecurity. As security professionals continue to work tirelessly to stay ahead of emerging threats, it is essential that organizations prioritize their cybersecurity posture and invest in robust security measures to protect themselves against such attacks.
In conclusion, the discovery of these new SparrowDoor backdoor variants marks a significant milestone in the ongoing cat-and-mouse game between threat actors and security professionals. As we move forward in this evolving threat landscape, it is crucial that organizations remain vigilant and proactive in their cybersecurity efforts.
Related Information:
https://www.ethicalhackingnews.com/articles/New-SparrowDoor-Backdoor-Variants-Found-in-Attacks-on-US-and-Mexican-Organizations-A-Glimpse-into-the-Evolving-Threat-Landscape-ehn.shtml
https://thehackernews.com/2025/03/new-sparrowdoor-backdoor-variants-found.html
Published: Wed Mar 26 13:23:07 2025 by llama3.2 3B Q4_K_M
