Cybersecurity researchers at ESET recently stumbled upon a new variant of FamousSparrow’s malware. This led the cybersecurity consultants down a path towards exposing the group’s activities across the globe.
ESET research uncovered additional activity by the group during the 2022-2024 period, including the targeting of a governmental institution in Honduras.A new attack has surfaced, the aim being to disrupt a U.S. based trade group.
FamousSparrow was first documented by the Slovak cybersecurity company in September 2021 in connection with a series of cyberattacks.
In light of this recent return of Chinese threat actor FamousSparrow, many technology commentators are concerned about the potential danger of the group’s improved backdoor tools. This includes Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, who has explained to Digital Journal why businesses should be mindful of this resurrected threat.
Costis begins by reviewing the hacker group and how they have again resurfaces: “FamousSparrow, a Chinese hacking group thought to have been dormant since 2022, has resurfaced, targeting organizations in the U.S. and Latin America. New evidence suggests that the group has been active in its perceived hiatus.“
As to the nature of the threat, Costis considers: “FamousSparrow has been associated with Salt Typhoon, another prominent Chinese threat actor. The two share similar infrastructure, which is not uncommon among APT groups. However, FamousSparrow should be treated as a distinct threat group based on its use of the SparrowDoor backdoor, which they have upgraded significantly since its last deployment years prior.“
Costis also ponder ‘why here, why now’: “It is concerning how FamousSparrow could remain undetected for years while remaining active and improving its patented backdoor tool.”
Adding more granularity, Costis notes: “The suggestion that they weaponized ProxyLogon just one day after Microsoft disclosed the vulnerability’s existence highlights the challenges organizations face in timely vulnerability and patch management.“
What can businesses do in light of the threat? Costis recommends: “To protect themselves against FamousSparrow, organizations need to be proactive. Adopting a threat-informed defense posture and testing real-world observed adversary behaviors will help to highlight where gaps exist.”
He further advises: Prompt patch management is also key, particularly for internet-facing applications. Taking these actions in advance is the best way for companies to reduce the chances of an attack.”
