FamousSparrow APT Group spying on hotels and governments worldwide

A cyberespionage group FamousSparrow is focusing on motels, governments, and personal companies around the globe, leveraging the ProxyLogon Microsoft Exchange Server vulnerability together with its personal customized backdoor, SparrowDoor.

Slovak cyber security firm ESET said that it has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala.

According to ESET, intrusions exploiting the flaws commenced on March 3, resulting in the deployment of several malicious artifacts with the compromised server a variant of Mimikatz, NetBIOS scanner Nbtscan, and a small utility that drops ProcDump on disk, which drops one other course of that researchers say is probably going used to collect in-memory secrets and techniques, reminiscent of credentials.

While ESET didn’t attribute the FamousSparrow group to a specific country, it find similarities between its techniques and those of SparklingGoblin, an offshoot of the China-linked Winnti Group, and DRBControl, which also overlaps with malware previously identified with Winnti and Emissary Panda campaigns. Going by the readings it is apparently clear those Chinese hackers are behind this espionage.

ESET researcher Matthieu Faou responded: “We did not find enough evidence to link FamousSparrow to another threat group. This doesn’t necessarily mean FamousSparrow was created recently. They could have stayed undetected for years or they could be a known group that evolved and retooled so much that we could not find a link to their previous activities.”

According to him Hotels are interesting for cyber-espionage groups because it allows them to track the travel of their targets and, by infiltrating the network of the hotels, they could potentially spy on the network traffic of people staying at these hotels.