FamousSparrow APT Wings in to Spy on Hotels, Governments

2021-09-23 14:08

A cyberespionage group dubbed "FamousSparrow" by researchers has taken flight, targeting hotels, governments and private organizations around the world with a custom backdoor called, appropriately, "SparrowDoor." It's one of the advanced persistent threats that targeted the ProxyLogon vulnerabilities earlier this year, according to ESET, though its activity has only recently come to light.

According to the firm, the backdoor's malicious actions include the ability to: rename or delete files; create directories; shut down processes; send information such as file attributes, file size and file write time; exfiltrate the content of a specified file; write data to a specified file; or establish an interactive reverse shell.

"The targeting, which includes governments worldwide, suggests that FamousSparrow's intent is espionage," researchers noted.

"We believe FamousSparrow exploited known remote code-execution vulnerabilities in Microsoft Exchange, Microsoft SharePoint and Oracle Opera, which were used to drop various malicious samples," according to ESET researchers.

"Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded."

FamousSparrow mainly targets hotels, but ESET observed targets in other sectors, including governments, international organizations, engineering companies and law firms.

News URL

https://threatpost.com/famoussparrow-spy-hotels-governments/174948/

#APT #hotel #SPY