{"id":4129,"date":"2025-03-28T10:44:00","date_gmt":"2025-03-28T08:44:00","guid":{"rendered":"https:\/\/leonardonetwork.eu\/?p=4129"},"modified":"2025-05-26T10:54:20","modified_gmt":"2025-05-26T08:54:20","slug":"nuove-varianti-di-sparrowdoor-attacchi-mirati-a-organizzazioni-negli-stati-uniti-e-in-messico","status":"publish","type":"post","link":"https:\/\/leonardonetwork.eu\/en\/new-sparrowdoor-variants-target-organizations-in-the-united-states-and-mexico\/","title":{"rendered":"New SparrowDoor variants: Targeting attacks on organizations in the United States and Mexico"},"content":{"rendered":"<p>The Chinese cyber-espionage group known as <strong>FamousSparrow<\/strong> It has recently been linked to a series of cyberattacks targeting a trade association in the United States and a research institute in Mexico. These attacks, observed in July 2024, involved the use of two new variants of the malware. <strong>SparrowDoor<\/strong>, including a modular version, and the adoption for the first time of <strong>ShadowPad<\/strong>, a malware widely used by Chinese state-sponsored actors.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">SparrowDoor&#039;s Capabilities Evolution<\/h3>\n\n\n\n<p>The new SparrowDoor variants represent a significant improvement over previous versions. One of the updated versions features command parallelization capabilities, allowing operations such as file I\/O and the launch of interactive shells to be performed simultaneously. This approach improves the malware&#039;s efficiency by allowing it to handle multiple instructions simultaneously.<\/p>\n\n\n\n<p>The second variant introduces a modular architecture, with nine distinct plugins offering advanced functionality, including:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Running single commands<\/li>\n\n\n\n<li>File system operations<\/li>\n\n\n\n<li>Keystroke recording (keylogging)<\/li>\n\n\n\n<li>Starting TCP Proxy<\/li>\n\n\n\n<li>Interactive shell sessions<\/li>\n\n\n\n<li>File transfer between the compromised host and the command and control (C&amp;C) server<\/li>\n\n\n\n<li>Screenshot capture<\/li>\n\n\n\n<li>Managing running processes<\/li>\n\n\n\n<li>Tracking changes in the file system<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Attack chain and infection vectors<\/h3>\n\n\n\n<p>The attacks exploited vulnerabilities in servers <strong>Internet Information Services (IIS)<\/strong>, where a web shell was installed. This acted as a vector to download a batch script from a remote server, which then launched a Base64-encoded .NET web shell. This ultimately distributed variants of SparrowDoor and ShadowPad.<\/p>\n\n\n\n<p>The affected organizations were using outdated versions of <strong>Windows Server<\/strong> And <strong>Microsoft Exchange Server<\/strong>, highlighting the importance of keeping systems up to date to prevent such intrusions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Implications and recommendations<\/h3>\n\n\n\n<p>FamousSparrow&#039;s adoption of ShadowPad indicates a possible evolution in the group&#039;s tactics, with increased tool sharing among various Chinese state-sponsored actors. SparrowDoor&#039;s new capabilities, particularly its modular architecture, increase the malware&#039;s flexibility and dangerousness.<\/p>\n\n\n\n<p>It is critical that organizations take proactive measures to protect their infrastructure:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Regularly update operating systems and applications to fix known vulnerabilities.<\/li>\n\n\n\n<li>Implement advanced security solutions to monitor and detect suspicious activity.<\/li>\n\n\n\n<li>Conduct periodic security audits to identify and mitigate potential risks<\/li>\n<\/ul>\n\n\n\n<p>For further details, please consult <a href=\"https:\/\/thehackernews.com\/2025\/03\/new-sparrowdoor-backdoor-variants-found.html\" target=\"_blank\" rel=\"noreferrer noopener\">the original article on The Hacker News<\/a><\/p>","protected":false},"excerpt":{"rendered":"<p>The Chinese cyberespionage group known as FamousSparrow has recently been linked to a series of cyberattacks that targeted a trade association in the United States and a research institute in Mexico. These attacks, observed in July 2024, involved the use of two new variants of the SparrowDoor malware, including one <\/p>","protected":false},"author":1,"featured_media":4130,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[38],"tags":[],"class_list":["post-4129","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog"],"acf":[],"_links":{"self":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts\/4129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/comments?post=4129"}],"version-history":[{"count":0,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/posts\/4129\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/media\/4130"}],"wp:attachment":[{"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/media?parent=4129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/categories?post=4129"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/leonardonetwork.eu\/en\/wp-json\/wp\/v2\/tags?post=4129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}