FamousSparrow APT Relies on SparrowDoor and the ProxyLogon Vulnerability

The hackers from the FamousSparrow APT are fairly new players in the cybercrime field. Their first campaigns were spotted in March 2021, when they were exploiting the ProxyLogon vulnerability in Microsoft Exchange servers. During this period, nearly a dozen of Advanced Persistent Threat (APT) actors were abusing the zero-day vulnerability to hijack Microsoft Exchange mail servers. Nowadays, the FamousSparrow APT hackers appear to still be relying on this vulnerability, but they are also targeting other Web-exposed applications such as SharePoint and Oracle Opera. Of course, their targets are networks running outdated versions of the software, potentially vulnerable to old exploits.

The signature backdoor Trojan that these hackers use is SparrowDoor. It is currently very active, and has managed to infect networks in a dozen countries, including the United Kingdom, Brazil, Canada, Israel, France, South Africa, and others. Although the majority of the active infections appear to be concentrated in the hotel industry, the FamousSparrow APT hackers also go after non-profit organizations, governments, and companies in the law or engineering sectors. With that said, it is safe to assume that espionage is the primary motivation of these criminals.

While the custom SparrowDoor backdoor handles a large portion of the attack, the FamousSparrow APT hackers also rely on public tools – Mimikatz, ProcDump, and Nbtscan. The first two are used to try and obtain login credentials from the infected system, while the Nbtscan utility is a NetBIOS scanner, which enable the criminals to compromise other devices on the same network.

While the FamousSparrow APT's modus operandi shares similarities with other APT groups, it is too early to determine whether they are connected to a better-known hacking group. Their network infrastructure appears to be unique, and the SparrowDoor Backdoor has so far only been used by this particular group.