A latest investigation by ESET researchers has make clear the continued actions and evolving toolset of the China-aligned Superior Persistent Menace (APT) group referred to as FamousSparrow (aka Salt Hurricane).
The probe, initiated by suspicious exercise detected in July 2024 inside a United States-based monetary commerce group, revealed that FamousSparrow has been diligently enhancing its malicious capabilities. Proof pointed to a concurrent breach of a Mexican analysis institute and a governmental establishment in Honduras, demonstrating the group’s broadening focusing on scope.
Additionally, this marketing campaign marked the primary documented occasion of FamousSparrow using ShadowPad, a privately distributed backdoor recognized to be solely provided to menace actors aligned with Chinese language pursuits.
The evaluation detailed the deployment of two newly found variations of the group’s signature malware, SparrowDoor. One model bears similarity to the “CrowDoor” backdoor, a device attributed to the Earth Estries APT group by Development Micro, whereas the opposite, a modular design, deviates considerably from prior SparrowDoor situations.
“From our perspective, these are a part of the continued improvement effort on SparrowDoor relatively than a unique household,” ESET researchers defined within the weblog publish.
The assault chain began with the deployment of a webshell on an Web Info Companies (IIS) server. Researchers suspect the exploitation of vulnerabilities in outdated variations of Home windows Server and Microsoft Alternate, given the supply of a number of public exploits for these methods. The group utilized a mixture of customized malware and instruments shared amongst China-aligned APTs, culminating within the deployment of SparrowDoor and ShadowPad.
The attackers gained entry by a batch script downloaded from a distant server, which then deployed a .NET webshell, permitting them to determine distant PowerShell classes, collect system data and escalate privileges utilizing publicly obtainable exploits included into the PowerHub framework.
The ultimate stage concerned a complicated “trident loading scheme” to execute SparrowDoor, using a authentic antivirus executable for DLL side-loading. “We noticed three distinctive SparrowDoor C&C servers on this marketing campaign, all of which used port 80,” researchers famous.
The brand new SparrowDoor variations show technical sophistication, together with parallel command processing and a plugin-based structure for dynamic loading of extra functionalities. Whereas ESET researchers haven’t but noticed any plugins in motion, the code evaluation means that this modular design is meant to evade detection by minimizing the core backdoor’s traceability.
ESET researchers have confidently attributed noticed exercise to FamousSparrow resulting from its unique use of SparrowDoor and vital code overlaps with beforehand documented samples. They keep that FamousSparrow, GhostEmperor, and Earth Estries are distinct teams, citing discrepancies and lack of conclusive proof to assist their alleged hyperlinks, a principle proposed by Microsoft Menace Intelligence beneath the Salt Hurricane cluster.
They acknowledge partial code overlaps between SparrowDoor and HemiGate, a device related to Earth Estries. Nevertheless, they counsel that these overlaps is likely to be higher defined by the existence of a shared third occasion, comparable to a “digital quartermaster,” offering instruments or infrastructure, relatively than a full conflation of the teams.
