Quote:A cyberespionage group dubbed “FamousSparrow” by researchers has taken flight, targeting hotels, governments and private organizations around the world with a custom backdoor called, appropriately, “SparrowDoor.” It’s one of the advanced persistent threats (APTs) that targeted the ProxyLogon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light.
 
According to the firm, the backdoor’s malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell. There’s also a kill switch to remove persistence settings and all SparrowDoor files from the victim machines.
 
“The targeting, which includes governments worldwide, suggests that FamousSparrow’s intent is espionage,” researchers noted.
 
The ProxyLogon remote code execution (RCE) bug was disclosed in March, and was used by more than 10 APT groups to establish access via shellcode to Exchange mail servers worldwide in a flurry of attacks. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities the day following Microsoft’s release of a patch for the problem.
 
In FamousSparrow’s case, it used the bug to deploy SparrowDoor, which has been seen in other attacks (many of them against hotels), according to ESET. These additional campaigns have occurred both before and after ProxyLogon, and date back to August 2019, researchers noted.