The Chinese cyber-espionage group known as FamousSparrow It has recently been linked to a series of cyberattacks targeting a trade association in the United States and a research institute in Mexico. These attacks, observed in July 2024, involved the use of two new variants of the malware. SparrowDoor, including a modular version, and the adoption for the first time of ShadowPad, a malware widely used by Chinese state-sponsored actors.
The new SparrowDoor variants represent a significant improvement over previous versions. One of the updated versions features command parallelization capabilities, allowing operations such as file I/O and the launch of interactive shells to be performed simultaneously. This approach improves the malware's efficiency by allowing it to handle multiple instructions simultaneously.
The second variant introduces a modular architecture, with nine distinct plugins offering advanced functionality, including:
The attacks exploited vulnerabilities in servers Internet Information Services (IIS), where a web shell was installed. This acted as a vector to download a batch script from a remote server, which then launched a Base64-encoded .NET web shell. This ultimately distributed variants of SparrowDoor and ShadowPad.
The affected organizations were using outdated versions of Windows Server And Microsoft Exchange Server, highlighting the importance of keeping systems up to date to prevent such intrusions.
FamousSparrow's adoption of ShadowPad indicates a possible evolution in the group's tactics, with increased tool sharing among various Chinese state-sponsored actors. SparrowDoor's new capabilities, particularly its modular architecture, increase the malware's flexibility and dangerousness.
It is critical that organizations take proactive measures to protect their infrastructure:
For further details, please consult the original article on The Hacker News
Copyright @2023 Leonardo Network Srl VAT IT01749180533. All Rights Reserved.
