Threat Signal Report

Threat Actor FamousSparrow Targeting Hotels, Governments and Businesses Worldwide

Description

FortiGuard Labs is aware of a report that the FamousSparrow APT group has attacked hotels, governments and businesses worldwide with a backdoor Trojan named "SparrowDoor." According to the report from security vendor ESET, FamouSparrow's first activity can be traced back to August 2019. Their main target is reportedly hotels but also includes "governments, international organizations, engineering companies and law firms" in 13 countries spread across five continents. The group also leveraged ProxyLogon, a notorious exploit chain used against Microsoft Exchange servers (Microsoft released an out-of-band patch in March) to install the backdoor.


Why is This Significant?

This is significant because the FamousSparrow APT group had successfully stayed under the radar since 2019 and has been identified as one of the threat actors that had access to the ProxyLogon exploit code back in March, 2021. The group is also said to have leveraged vulnerabilities in SharePoint and Oracle Opera.


What is ProxyLogon?

ProxyLogon is an exploit chain of four vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows the threat actor to exploit on-premise Exchange servers and enable remote code execution. Microsoft also released a detailed report about the HAFNIUM APT group who utilized ProxyLogon before the patch became available. FortiGuard Labs previously released a Threat Alert and a blog on the incident. See the Appendix section for a link to "Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server" and "Fortinet Addresses Latest Microsoft Exchange Server Exploits".


Who are Targeted by FamousSparrow?

According to the ESET report, FamousSparrow primarily targeted hotels worldwide as well as governments, international organizations and other businesses in Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand and United Kingdom.


What is the Main Purpose of FamousSparrow?

Cyber espionage appears to be the goal of FamousSparrow. However, the exfiltrated information can also be used for future attacks.


What Malware and Tools Does FamousSparrow Use in Their Attacks?

Their main arsenal is a backdoor program called SparrowDoor, but they also use custom versions of Mimikatz, ProcDump and Nbtscan. Mimikatz variants are for lateral movement. ProcDump is a tool to dump the Local Security Authority Subsystem Service (LSASS) process in order to steal the credentials stored in it. Nbtscan is a tool to scan IP networks for NetBIOS information.


What Does SparrowDoor Do?

SparrowDoor is a backdoor program and as such, it receives commands from its Command and Control (C&C) server and performs actions accordingly. Some of the commands perform data exfiltration.


Prior to receiving commands, the malware sends collected information, such as the victim's local IP address, username, computer name and RDP session ID associated with the backdoor, to the C&C server.


Is FamousSparrow Associated with Other APT Groups?

While no clear conclusion has been drawn by the security vendor, a loader that FamousSparrow used at one point was also used by SparkingGoblin APT group. A domain previously used by FamousSparrow was also used by DRBControl APT group.


What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place for available samples as:


Riskware/Mimikatz

W32/Korplug.QQ!tr

W64/Kryptik.BSQ!tr


FortiGuard Labs has the following IPS coverage in place as:


MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution

MS.Exchange.Server.UM.Core.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution


All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.