A cyberespionage group dubbed FamousSparrow is targeting hotels, governments, and private businesses around the world, leveraging the ProxyLogon Microsoft Exchange Server vulnerability along with its own custom backdoor, SparrowDoor.
ESET researchers tracking the group believe it has been active since 2019, when it compromised an organization in Africa, says ESET researcher Matthieu Faou, who uncovered FamousSparrow with his colleague Tahseen Bin Taj. On March 3, the attackers began to exploit the ProxyLogon vulnerabilities that have been used by more than 10 advanced persistent threat (APT) groups to take over Exchange servers.
FamousSparrow primarily targets hotels; however, researchers have seen a few targets in other sectors, including governments, international organizations, engineering companies, and law firms. Its victims are located in countries including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Lithuania, Guatemala, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.
"On the malware side, the group did not evolve much, but in terms of targeting, we have seen a shift in 2020 when they started to target hotels worldwide," says Faou of the group's evolution. FamousSparrow stands out for its focus on hotels, in addition to popular APT targets, such as governments.
"We believe their main motivation is espionage," he adds. "Hotels are prime targets for APT groups because it allows attackers to gather data about their targets' travel habits. They can also potentially breach the hotels' Wi-Fi infrastructure to spy on nonencrypted network traffic."
Microsoft Exchange in the Mix
In cases where researchers were able to determine the initial compromise vector, they say FamousSparrow targeted victims through vulnerable Internet-facing applications. It's believed the group exploited known remote code execution flaws in Microsoft Exchange, including the ProxyLogon bug in March, as well as Microsoft SharePoint and Oracle Opera, a form of business software for hotel management.
With the server compromised, the attackers deploy several custom tools: a variant of Mimikatz, NetBIOS scanner Nbtscan, and a small utility that drops ProcDump on disk, which drops another process that researchers say is likely used to gather in-memory secrets, such as credentials.
Attackers also dropped a loader for their SparrowDoor backdoor, a tool that is unique to them.
"SparrowDoor enables attackers to [almost] fully control the compromised machines, including executing any arbitrary command or exfiltrating any file," Faou says. The deployment of SparrowDoor, as well as the use of server-side vulnerabilities, is the group's main trait.
Researchers consider FamousSparrow to be its own entity but have found connections to other known APT groups, including SparklingGoblin and DRBControl.
"It is likely they share tools or access to victims, but we believe they are separate threat groups," Faou says.
This is a reminder for organizations to patch Internet-facing applications quickly, researchers say. If quick patching is not possible, businesses are advised to not expose the apps to the Internet.