I. Targeted Entities
- Hotels
- Governments
- Private organizations
- Engineering companies
- Law firms
II. Introduction
A cyberespionage group known as FamousSparrow has emerged, targeting governments, private organizations, and hotels around the globe with a custom backdoor called SparrowDoor.
III. Background Information
According to ESET, SparrowDoor is an advanced persistent threat (APT) with the ability to rename or delete files; create directories; shut down processes; send information such as file attributes, file size, and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. SparrowDoor also has a kill switch to remove persistence settings and all SparrowDoor files from a victim’s machine.
FamousSparrow used a remote code execution (RCE) called ProxyLogon to deploy SparrowDoor via the exploitation of vulnerable internet-facing web applications. ESET researchers believe that FamousSparrow exploited well-known RCE vulnerabilities in Microsoft Exchange, Microsoft SharePoint, and Oracle Opera (which is used for hotel management), which were used to drop various malicious samples.
Once a machine is compromised, FamousSparrow infects the machine with a range of custom tools. ESET analysis says that the custom tools include: a Mimikatz variant for lateral movement; a small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials; Nbtscan, a NetBIOS scanner for identifying files and printers across a LAN; and a loader for the SparrowDoor backdoor. Researchers also noted that the loader installs SparrowDoor via DLL search order hijacking.
The malware loads itself by exposing itself to DLL search-order hijacking. Specifically, the legitimate executable, Indexer.exe requires the library K7UL.dll to operate. The victim operating system looks for the DLL file in the directories in the prescribed load order. Because the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking.
The malware is able to set persistence and establish encrypted TLS connections to a command-and-control sever on port 433. Furthermore, the malware is able to achieve privilege escalation by adjusting the access token of the SparrowDoor process to enable a legitimate Windows utility, SeDebugPrivilege, that is used to debug processes on computers other than one’s own. After that, SparrowDoor finds and sends the victim’s local IP address, a Remote Desktop Services session ID associated with the backdoor process, username, and computer name to the command-and-control server and waits for commands in return. This is in order to start the spying campaign.
FamousSparrow primarily targets hotels, but ESET has found FamousSparrow in other sectors. Notably governments, international organizations, engineering companies, and law firms. Attacks have also been seen globally, with attacks happening in Brazil, Canada, Israel, France, Guatemala, Lithuania, Saudia Arabia, South Africa, Taiwan, Thailand, and the United Kingdom.
IV. MITRE ATT&CK
- T1588.005 – Obtain Capabilities: Exploits
FamousSparrow utilizes RCE vulnerabilities in Microsoft Exchange, Sharepoint, and oracle Opera. - T1059.003 – Command and Scripting Interpreter: Windows Command Shell
FamousSparrow uses Windows cmd.exe to download and install SparrowDoor. - T1027 – Obfuscated Files or Information
SparrowDoor encrypts the MpSvc.dll and config files utilizes with a XOR function. - T1543.003 – Create or Modify System Process: Windows Service
SparrowDoor is hidden within a fake Windows service called WSearchIndex. - T1134.002 – Access Token Manipulation: Create Process with Token
Using the CreateProcessAsUserA API SparrowDoor is able to use tokens to create new processes. - T1082 – System Information Discovery
SparrowDoor collects user and computer names in addition to RDP session and machine-specific drive information. - T1083 – File and Directory Discovery
SparrowDoor can examine files on infected machines. - T1573.001 – Encrypted Channel: Symmetric Cryptography
C2 communication is carried out using XOR keys.
V. Recommendations
- Ensure Antivirus Software is Updated
Ensure that antivirus and antimalware programs are scanning assets using up-to-date signatures - Enable Endpoint Protection
Enable endpoint detection and response (EDR) to stop unknown malware in the products that are being used.
VI. IOCs
The links below has been included to assist with the download of some identified IOCs related to this Threat Advisory report. Be on the lookout for these IOCs, as well as anything that looks similar.
https://usf.box.com/s/tuz87dop8aiua88m62hw9yl1il5dmio6
VII. References
(1) Seals, Tara. “FamousSparrow APT Wings in to Spy on Hotels, Governments.” Threatpost English Global, September 23, 2021. https://threatpost.com/famoussparrow-spy-hotels-governments/174948/.
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: James Krepps, Orlando Huertas, Dorian Pope, Ipsa Bhatt, Sreten Dedic, EJ Bulut, Uday Bilakhiya and Tural Hagverdiyev