SparrowDoor Backdoor, a Custom Trojan by the FamousSparrow APT

Trickbot Streals Passwords From Browsers

The FamousSparrow Advanced Persistent Threat (APT) group is fairly new name to the cybercrime field. Recently, their activities and campaigns have been observed closely by malware researchers, and the first implant that the criminals use has been uncovered. The threat, called SparrowDoor, is employed in attacks against the hotel industry. However, some copies of the SparrowDoor Backdoor were also seen on networks belonging to engineering companies, law firms, and government bodies. The list of countries that the FamousSparrow APT targets is rather long – Canada, Israel, France, Taiwan, Lithuania, Brazil, and many others.

Often, high-profile threat actors rely on phishing messages to penetrate a network's security be exploiting employees. However, the SparrowDoor appears to often infect systems through exploiting vulnerable Web-connected applications. In short, this means that the criminals are typically looking for systems running outdated software, which has certain vulnerabilities.

SparrowDoor Backdoor Focuses on Espionage Operations

Once it is up and running, the backdoor sets up a new service and also uses the Windows Registry to gain persistence. Its files are typically stored in the %APPDATA% folder, using fake names. In order to control the backdoor, attackers must authenticate using a username and password. The criminals are able to use the SparrowDoor to execute the following tasks:

  • Modify the file system.
  • Manage running processes.
  • Steal specific files.
  • Search for specific files and transfer them to the control server.
  • Execute remote commands.
  • Remove the implant.

The hackers are primarily relying on exploiting vulnerabilities in SharePoint, Microsoft Exchange Server, and Oracle Opera. However, there is no limit to the number of Internet-facing applications they target. Web administrators should take the required measures to update all software in order to prevent the SparrowDoor and similar threats from penetrating their security.

September 27, 2021