Security News > 2021 > September > Researchers finger new APT group, FamousSparrow, for hotel attacks

It's not entirely certain that FamousSparrow represents a wholly new APT group.

While the SparrowDoor tool appears to be exclusive and suggests a new player, the researchers found potential links between FamousSparrow and existing APT groups - including the use of the Motnug loader known to have been used by a group dubbed SparklingGoblin and a SparrowDoor-compromised machine seen to be connecting to a command and control server connected to the DRDControl group.

FamousSparrow is also far from the only group taking advantage of the ProxyLogon vulnerability, with researchers having linked its use to more than ten APT groups - most of which, like FamousSparrow, began their attacks the day after Microsoft had released patches, taking advantage of the window between the release of a patch and its widespread installation.

We asked how likely it was that FamousSparrow was a wholly new group, rather than an existing group using a new tool.

ESET researcher Matthieu Faou responded: "We did not find enough evidence to link FamousSparrow to another threat group. This doesn't necessarily mean FamousSparrow was created recently. They could have stayed undetected for years or they could be a known group that evolved and retooled so much that we could not find a link to their previous activities."

As to why the group is primarily targeting hotels, Faou told us: "Hotels are interesting for cyber-espionage groups because it allows them to track the travel of their targets and, by infiltrating the network of the hotels, they could potentially spy on the network traffic of people staying at these hotels." He added: "Even though FamousSparrow compromised a lot of hotels, they've also breached several governments."

News URL

https://go.theregister.com/feed/www.theregister.com/2021/09/23/researchers_finger_new_apt_group/