Source URL: https://www.theregister.com/2025/03/27/china_famoussparrow_back/
Source: The Register
Title: China’s FamousSparrow flies back into action, breaches US org after years off the radar
Feedly Summary: Crew also cooked up two fresh SparrowDoor backdoor variants, says ESET
The China-aligned FamousSparrow crew has resurfaced after a long period of presumed inactivity, compromising a US financial-sector trade group and a Mexican research institute. The gang also likely targeted a governmental institution in Honduras, along with other yet-to-be-identified victims.…
AI Summary and Description: Yes
Summary: The resurfacing of the China-aligned FamousSparrow APT group highlights ongoing cybersecurity threats, particularly targeting US and Mexican sectors. They have developed advanced malware, including the SparrowDoor backdoor, showcasing improvements in their tactics and tools, which raises concerns for security professionals.
Detailed Description: The re-emergence of FamousSparrow, a Chinese advanced persistent threat group, has significant implications for cybersecurity, especially in light of their sophisticated malware and targeting of sensitive sectors. Key points include:
– **Target Profile**: FamousSparrow has focused on a US financial-sector trade group, a Mexican research institution, and a potential governmental target in Honduras, indicating a broad interest in espionage activities across borders.
– **Malware Development**: The group has developed two new versions of their custom backdoor, SparrowDoor, during a period of relative inactivity, illustrating their ability to enhance their tools:
– **First Variant**: More supported commands and improved multi-threading capabilities.
– **Second Variant**: Modular architecture allowing for plugin commands, enhancing functionality.
– **Historical Context**: First documented by ESET in 2019 after targeting hotel and government networks globally, this group’s history of activity suggests a persistent threat landscape.
– **Exploitation Techniques**: They gained access to victim networks via an unknown exploit that deployed a webshell on IIS servers, taking advantage of outdated software versions (Windows Server, Microsoft Exchange).
– **Comparative Analysis**: While allegations link FamousSparrow to other Chinese state-sponsored groups like Salt Typhoon and APT41, ESET emphasizes that FamousSparrow appears to operate as a distinct unit, albeit sharing resources or techniques common among APTs.
– **Advanced Tactics**: After gaining access, the group used PowerShell for remote sessions and executed multi-stage malware solutions, which included using ShadowPad again in their toolkit, indicating an evolution in their cyber-espionage strategies.
– **Code Quality Improvement**: Analysis reveals that the new versions of SparrowDoor show “considerable advances” in their design, hinting that the group is evolving technically to stay ahead of detection and remediation measures.
For security professionals, this resurgence presents a critical reminder of the need for vigilance, continuous monitoring, and updating of security protocols, especially concerning outdated systems. Organizations that have not adopted a proactive cybersecurity posture could find themselves vulnerable to similar incursions.