China’s FamousSparrow APT Hits Americas with SparrowDoor Malware

A recent investigation by ESET researchers has shed light on the continued activities and evolving toolset of the China-aligned Advanced Persistent Threat (APT) group known as FamousSparrow (aka Salt Typhoon).

The probe, initiated by suspicious activity detected in July 2024 within a United States-based financial trade group, revealed that FamousSparrow has been diligently enhancing its malicious capabilities. Evidence pointed to a concurrent breach of a Mexican research institute and a governmental institution in Honduras, demonstrating the group’s broadening targeting scope.

Also, this campaign marked the first documented instance of FamousSparrow utilizing ShadowPad, a privately distributed backdoor known to be exclusively supplied to threat actors aligned with Chinese interests.

The analysis detailed the deployment of two newly discovered versions of the group’s signature malware, SparrowDoor. One version bears similarity to the “CrowDoor” backdoor, a tool attributed to the Earth Estries APT group by Trend Micro, while the other, a modular design, deviates significantly from prior SparrowDoor instances.

“From our perspective, these are part of the continued development effort on SparrowDoor rather than a different family,” ESET researchers explained in the blog post.

The attack chain started with the deployment of a webshell on an Internet Information Services (IIS) server. Researchers suspect the exploitation of vulnerabilities in outdated versions of Windows Server and Microsoft Exchange, given the availability of several public exploits for these systems. The group utilized a combination of custom malware and tools shared among China-aligned APTs, culminating in the deployment of SparrowDoor and ShadowPad.

The attackers gained access through a batch script downloaded from a remote server, which then deployed a .NET webshell, allowing them to establish remote PowerShell sessions, gather system information and escalate privileges using publicly available exploits incorporated into the PowerHub framework.

The final stage involved a sophisticated “trident loading scheme” to execute SparrowDoor, employing a legitimate antivirus executable for DLL side-loading. “We observed three unique SparrowDoor C&C servers in this campaign, all of which used port 80,” researchers noted.

The new SparrowDoor versions demonstrate technical sophistication, including parallel command processing and a plugin-based architecture for dynamic loading of additional functionalities. While ESET researchers have not yet observed any plugins in action, the code analysis suggests that this modular design is intended to evade detection by minimizing the core backdoor’s traceability.

ESET researchers have confidently attributed observed activity to FamousSparrow due to its exclusive use of SparrowDoor and significant code overlaps with previously documented samples. They maintain that FamousSparrow, GhostEmperor, and Earth Estries are distinct groups, citing discrepancies and lack of conclusive evidence to support their alleged links, a theory proposed by Microsoft Threat Intelligence under the Salt Typhoon cluster.

They acknowledge partial code overlaps between SparrowDoor and HemiGate, a tool associated with Earth Estries. However, they suggest that these overlaps might be better explained by the existence of a shared third party, such as a “digital quartermaster,” providing tools or infrastructure, rather than a full conflation of the groups.