A previously observed Chinese cyber espionage group, known as FamousSparrow, has been linked to recent intrusions targeting a trade association in the United States and a research institute in Mexico. These attacks, which occurred in July 2024, introduced two newly identified versions of the group’s custom backdoor, SparrowDoor, as well as the first documented use of ShadowPad malware by the group.
One of the new SparrowDoor variants is modular, representing a significant evolution in the malware’s development. Both variants incorporate enhancements over previous iterations, notably the ability to execute commands in parallel, allowing for more efficient operation.
Originally identified in 2021, FamousSparrow has previously targeted sectors such as hospitality, government, law, and engineering. While it shares some tactical similarities with groups like Earth Estries, GhostEmperor, and Salt Typhoon, security researchers continue to treat FamousSparrow as a distinct threat actor, with only loose associations to others.
The recent attack chain involves the use of a web shell deployed on Microsoft IIS servers. The initial infection vector remains unknown, but victims were found to be operating outdated Windows Server and Microsoft Exchange installations. Once the web shell is in place, it downloads a batch script that deploys a Base64-encoded .NET-based web shell, which subsequently installs both SparrowDoor and ShadowPad.
Among the two newly discovered SparrowDoor versions, one closely resembles an earlier malware strain called Crowdoor, but with significant upgrades. These include multi-threaded command execution, enabling the backdoor to handle simultaneous instructions. Each new connection to the command-and-control (C&C) server includes a unique victim ID and command ID, allowing for more organized and persistent control.
The modular variant of SparrowDoor introduces a plugin-based architecture, supporting nine functional modules:
-
Cmd: Execute single commands -
CFile: Manage file system operations -
CKeylogPlug: Log keystrokes -
CSocket: Create a TCP proxy -
CShell: Open an interactive shell session -
CTransf: Transfer files to/from the C&C server -
CRdp: Take screenshots -
CPro: List and terminate processes -
CFileMoniter: Monitor changes in specific directories
The discovery of these new versions underlines that FamousSparrow remains active and is continuing to advance its capabilities, indicating an ongoing investment in custom tooling and modular malware development.
