A China-linked cyberespionage gang known as 'FamousSparrow' was caught utilising a new modular version of its signature backdoor 'SparrowDoor' against a US-based trade organisation. Security experts at ESET spotted the activities and new malware version, uncovering evidence that the attacker has been more active than previously anticipated since its last operations were reported in 2022.
Apart from the financial organisation, ESET identified and linked further recent attacks to FamousSparrow, including a Mexican research facility and a Honduran government entity. In all of these incidents, initial access was acquired by exploiting obsolete Microsoft Exchange and Windows Server endpoints and infecting them with webshells.
New modular SparrowDoor
ESET's investigation revealed two new variants of the SparrowDoor backdoor. The first is identical to a backdoor credited to 'Earth Estries,' with enhanced code quality, architecture, encrypted configuration, persistence methods, and stealthy command-and-control (C2) switching. A critical new feature that applies to both new versions is parallel command execution, which allows the backdoor to continue listening for and processing incoming commands while executing prior ones.
"Both versions of SparrowDoor used in this campaign constitute considerable advances in code quality and architecture compared to older ones," reads the ESET report. "The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell. This allows the backdoor to continue handling new commands while those tasks are performed.”
The latest version, which is a modular backdoor with a plugin-based architecture, includes the most significant modifications. Its operating capabilities can be expanded while staying covert and undetectable by receiving additional plugins from the C2 at runtime, which are fully loaded in memory.
ShadowPad link
Another notable finding in ESET's analysis is FamousSparrow's use of ShadowPad, a sophisticated modular remote access trojan (RAT) linked to various Chinese APTs.
In the attacks seen by the researchers, ShadowPad was loaded via DLL side-loading from a renamed Microsoft Office IME executable, injected into the Windows media player (wmplayer.exe) process, and linked to a known C2 server associated with the RAT. This suggests that FamousSparrow, like other state-sponsored entities, may now have access to advanced Chinese cyber tools.
According to ESET, Microsoft classifies Earth Estries, GhostEmperor, and FamousSparrow under a single threat cluster they refer to as Salt Typhoon. ESET tracks them as separate categories because there isn't any technical evidence to support this. It acknowledges, meanwhile, that their tools share code, exploitation strategies, and some infrastructure reuse.
These overlaps, according to ESET, are indicators of a common third-party supplier, sometimes known as a "digital quartermaster," who supports and lurks behind all of these Chinese attack groups.