Newly unmasked 'FamousSparrow' APT group is targeting hotels and governments worldwide

Main motive is espionage, say ESET research

ESET researchers claim to have uncovered a new cyber espionage advanced persistent threat (APT) group that is targeting governments, hotels, engineering firms, legal companies, and various other sectors around the world.

Dubbed 'FamousSparrow', the group is believed to be active since at least 2019, with the majority of its victims located in Europe, Britain, Saudi Arabia, Israel, Taiwan, Brazil, Canada, Guatemala and Burkina Faso.

The researchers first noticed the activities of the group earlier this year while reviewing telemetry data during their investigation. They observed that FamousSparrow had leveraged the Microsoft Exchange bugs known as ProxyLogon that were publicly disclosed in March 2021.

While FamousSparrow appears to be independent from other active APTs, researchers did observe some overlaps with other groups.

In one case, researchers found threat actors using a command-and-control (C2) server linked to the DRDControl APT for setting up their exploit tools.

The group operatives also utilised a variant of a loader known to have been employed by another group named SparklingGoblin.

But FamousSparrow is the only known APT currently that uses a custom backdoor, dubbed SparrowDoor by ESET researchers.

The threat actors deploy this backdoor via a loader and a technique called DLL search order hijacking.

Once deployed, the backdoor establishes a link to the attackers' C2 for data exfiltration.

SparrowDoor ' s malicious capabilities include the ability to: create directories, delete or rename files, shut down processes, and send details such as file size, file write time, etc. It can also write data to a specified file, exfiltrate the content of a specified file to attackers, and establish an interactive reverse shell.

Notably, it also features a kill switch to delete persistence settings and all SparrowDoor files from the victim ' s system.

FamousSparrow has been observed to mainly target hotels, although it also launches attacks against other popular APT targets, such as governments and international organisations.

"We believe their main motivation is espionage," said ESET researcher Matthieu Faou, who unmasked FamousSparrow with his colleague Tahseen Bin Taj.

"Hotels are prime targets for APT groups because it allows attackers to gather data about their targets' travel habits. They can also potentially breach the hotels' Wi-Fi infrastructure to spy on non-encrypted network traffic."

The latest revelation about FamousSparrow is yet another reminder for organisations to patch their Internet-facing applications as soon as possible, according to researchers.

If admins are unable to patch the software immediately, they should at least not expose their apps to the Internet.