Threat Signal Report

Threat Actor FamousSparrow Targeting Hotels, Governments and Businesses Worldwide

Description

FortiGuard Labs is aware of a report that the FamousSparrow APT group has attacked hotels, governments and businesses worldwide with a backdoor Trojan named "SparrowDoor." According to the report from security vendor ESET, FamouSparrow's first activity can be traced back to August 2019. Their main target is reportedly hotels but also includes "governments, international organizations, engineering companies and law firms" in 13 countries spread across five continents. The group also leveraged ProxyLogon, a notorious exploit chain used against Microsoft Exchange servers (Microsoft released an out-of-band patch in March) to install the backdoor.

Why is This Significant?

This is significant because the FamousSparrow APT group had successfully stayed under the radar since 2019 and has been identified as one of the threat actors that had access to the ProxyLogon exploit code back in March, 2021. The group is also said to have leveraged vulnerabilities in SharePoint and Oracle Opera.

What is ProxyLogon?

ProxyLogon is an exploit chain of four vulnerabilities in Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) that allows the threat actor to exploit on-premise Exchange servers and enable remote code execution. Microsoft also released a detailed report about the HAFNIUM APT group who utilized ProxyLogon before the patch became available. FortiGuard Labs previously released a Threat Alert and a blog on the incident. See the Appendix section for a link to "Out of Band Patches Released for Active Exploitation of Microsoft Exchange Server" and "Fortinet Addresses Latest Microsoft Exchange Server Exploits".

Who are Targeted by FamousSparrow?

According to the ESET report, FamousSparrow primarily targeted hotels worldwide as well as governments, international organizations and other businesses in Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand and United Kingdom.

What is the Main Purpose of FamousSparrow?

Cyber espionage appears to be the goal of FamousSparrow. However, the exfiltrated information can also be used for future attacks.

What Malware and Tools Does FamousSparrow Use in Their Attacks?

Their main arsenal is a backdoor program called SparrowDoor, but they also use custom versions of Mimikatz, ProcDump and Nbtscan. Mimikatz variants are for lateral movement. ProcDump is a tool to dump the Local Security Authority Subsystem Service (LSASS) process in order to steal the credentials stored in it. Nbtscan is a tool to scan IP networks for NetBIOS information.

What Does SparrowDoor Do?

SparrowDoor is a backdoor program and as such, it receives commands from its Command and Control (C&C) server and performs actions accordingly. Some of the commands perform data exfiltration.

Prior to receiving commands, the malware sends collected information, such as the victim's local IP address, username, computer name and RDP session ID associated with the backdoor, to the C&C server.

Is FamousSparrow Associated with Other APT Groups?

While no clear conclusion has been drawn by the security vendor, a loader that FamousSparrow used at one point was also used by SparkingGoblin APT group. A domain previously used by FamousSparrow was also used by DRBControl APT group.

What is the Status of Coverage?

FortiGuard Labs has the following AV coverage in place for available samples as:

Riskware/Mimikatz

W32/Korplug.QQ!tr

W64/Kryptik.BSQ!tr

FortiGuard Labs has the following IPS coverage in place as:

MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution

MS.Exchange.Server.UM.Core.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution

MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution

All known network IOC's related to this threat are blocked by the FortiGuard WebFiltering Client.