FamousSparrow Deploys Advanced SparrowDoor Variants in U.S. and Mexico Cyberattacks

In the article “New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations”, The Hacker News reports that the Chinese-linked threat actor known as FamousSparrow has been identified as the perpetrator behind cyberattacks targeting a U.S. trade group and a Mexican research institute. These attacks, observed in July 2024, involved the deployment of two enhanced versions of the SparrowDoor backdoor and, for the first time by this group, the use of ShadowPad, a malware commonly associated with Chinese state-sponsored actors.​

The new SparrowDoor variants exhibit significant advancements over previous iterations. One variant introduces parallel command execution capabilities, allowing simultaneous processing of tasks such as file operations and interactive shell sessions. The second variant adopts a modular, plugin-based architecture, supporting functionalities like keystroke logging, TCP proxy initiation, file transfers, screenshot capture, process management, and file system monitoring.​

The attack methodology involved deploying a web shell on vulnerable Internet Information Services (IIS) servers, followed by the execution of a batch script that launched a Base64-encoded .NET web shell. This sequence facilitated the installation of SparrowDoor and ShadowPad on the compromised systems. Notably, both victim organizations were operating outdated versions of Windows Server and Microsoft Exchange Server, underscoring the importance of timely software updates and patches.​

Read the full article here: New SparrowDoor Backdoor Variants Found in Attacks on U.S. and Mexican Organizations