FamousSparrow APT

A new APT (Advanced Persistent Threat) group has been established on the cybercriminal landscape. It was discovered by researchers who have designated it as the FamousSparrow APT. The group is believed to have been formed around 2019 and is active since then. The attacks attributed to FamousSparrow are focused mainly on compromising hotel computer systems. In select instances, the group also has targeted government organizations, private engineering companies and law firms. 

The profile of the victims suggests that the main goal of FamousSparrow is to conduct cyberespionage operations. The group doesn't appear to be targeting a certain geographical region specifically, as victims have been detected all around the world - from the U.S., Brazil, France, England, Saudi Arabia, Thailand, Taiwan and more. 

Attack Chain

Back in March, FamousSparrow adjusted its attack operations quickly and began exploiting the Microsoft Exchange vulnerabilities known as ProxyLogon. Back then, over 10 different APT groups launched attacks to take over Exchange mail servers. Other vulnerabilities exploited by the group affect Microsoft SharePoint and Oracle Opera. 

After compromising the victim's machine, FamousSparrow deployed two custom versions of Mimikatz and a previously unknown backdoor malware threat named SparrowDoor. In addition, they also utilize a custom loader for the backdoor, a utility that appears to be tasked with gathering credentials, and a NetBIOS scanner.

Connections to other ATPs

During their investigation, infosec researchers were able to establish several connections between FamousSparrow and already established ATPs. For example, in one case the group used a Motnug variant, which is a loader associated with the SparklingGoblin hackers. On a different victim, the researchers found an active Metasploit version that used a Command-and-Control (C2, C&C) domain previously linked to the DRBControl group.