ESET researchers uncovered a new campaign by the China-linked FamousSparrow APT group, which had been thought to be inactive since 2022, targeting organizations in the United States and Mexico.
The researchers uncovered two previously undocumented versions of the group's custom backdoor called ‘SparrowDoor’ that come with upgrades in both architecture and functionality.
ESET's investigation began with a compromised trade group in the financial sector in the United States, which had been breached by FamousSparrow. During an investigation, the researchers discovered SparrowDoor variants that had not been previously seen. The observed campaign also marks the first time when the threat actor leveraged the ShadowPad backdoor exclusively used by China-aligned threat actors.
FamousSparrow had previously been known for targeting a wide range of sectors, including governments, law firms, engineering companies, and international organizations.
The researchers noted that both SparrowDoor variants relied on sophisticated RC4 encryption mechanisms for secure communication with command-and-control (C&C) servers, while earlier versions used XOR encryption.
The first new version of SparrowDoor identified in the campaign was similar to the CrowDoor backdoor described by Trend Micro researchers in November 2024. This backdoor was likely part of the ongoing development of SparrowDoor, rather than an entirely new malware family. Both CrowDoor and SparrowDoor share significant similarities in their architectures and functionality.
The second version of SparrowDoor uncovered in the attack was modular, which allowed the attackers to easily update or extend the capabilities of the malware.
FamousSparrow initially gained access to the compromised network via a webshell deployed on an IIS server. While the exact exploit used was not determined, the victims were running outdated versions of Windows Server and Microsoft Exchange, which are known to have several publicly available exploits. The attackers employed a trident loading scheme to execute SparrowDoor, utilizing a legitimate executable, K7AntiVirus Messenger Scanner (K7AVMScn.exe), alongside malicious DLLs and payloads named K7AVWScn.dll and K7AVWScn.doc. These payloads were encrypted with an RC4 key hardcoded within the loader and backdoor itself.
While investigating the US victim's compromise, ESET also identified that FamousSparrow had breached a research institute in Mexico just days prior to the attack on the US victim. Further analysis revealed additional activity from the group between 2022 and 2024, including attacks targeting a government institution in Honduras.
