In a recent discovery, cybersecurity experts have identified renewed activity from FamousSparrow, a China-aligned APT group previously thought to be inactive since 2022.
The threat actor has resurfaced with two previously undocumented versions of its signature backdoor, SparrowDoor, targeting organizations in the financial sector and research institutions across multiple countries.
ESET researchers discovered the malicious activity in July 2024 when investigating suspicious behavior on the system of a US-based trade group operating in the financial sector.
Their analysis revealed that FamousSparrow had not only remained active but had been developing its toolset significantly, with marked improvements in code quality and architecture of its flagship backdoor.
The campaign represents a concerning evolution in FamousSparrow’s capabilities, as the group was also observed using ShadowPad for the first time – a privately sold backdoor known to be supplied exclusively to China-aligned threat actors.
.webp)
The attack chain begins with webshell deployment on outdated IIS or Exchange servers, followed by lateral movement and the installation of the enhanced SparrowDoor variants.
Most notably, researchers found that one version of SparrowDoor is now modular, while another resembles what other security firms have called “CrowDoor” and attributed to the Earth Estries APT group, suggesting potential overlaps between these threat actors.
Command Parallelization: A Technical Advancement
The most significant technical improvement in the new SparrowDoor versions is the parallelization of time-consuming commands.
This architectural change allows the backdoor to continue handling new commands while lengthy operations, such as file I/O and interactive shell sessions, are being processed.
When the backdoor receives parallelized commands, it creates a new thread that initiates a separate connection to the command-and-control server.
The victim’s unique ID is sent over this new connection along with a command identifier, enabling the C&C server to track which connections relate to the same victim.
Each thread then handles specific subcommands independently.
This multi-threaded approach represents a sophisticated advancement over previous versions, making the backdoor more efficient and responsive.
As with earlier variants, persistence is established either via a service named “K7Soft” that runs automatically on startup or through a registry Run key with the same name.
The discovery highlights how sophisticated APT groups continuously improve their toolsets even during periods of apparent inactivity, reinforcing the need for organizations to maintain robust security measures against evolving threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free