From Dormancy To Development: Famoussparrow’s Comeback With Shadowpad

The China-aligned APT group FamousSparrow resurfaced in 2024 after two years of presumed inactivity. ESET researchers uncovered new activity involving two previously undocumented versions of its SparrowDoor backdoor in attacks targeting a financial trade group and a research institute. Notably, ShadowPad was used for the first time by this group. These findings signal active development and operations by FamousSparrow, including modular backdoor evolution, use of new TTPs, and increased operational sophistication.

Severity Level: High

THREAT DETAILS

1. Initial Access: Likely via exploitation of outdated Microsoft Exchange and Windows Server software.
2. Webshell Deployment:
   • A batch script is downloaded via HTTP from attacker-controlled IP 43.254.216[.]195.
   • This script contains base64-encoded .NET webshell which it decodes using certutil.exe and writes it to C:\users\public\s.ashx
   • The Webshell is further placed in a DotNetNuke directory (e.g., DesktopModules\DotNetNuke.ashx).
   • Webshell enables interactive PowerShell session. The commands are executed via an unconventional method— i.e., invoking Equals on a custom class method in-memory.
3. Privilege Escalation: PowerHub (customized) and Invoke-BadPotato module for SYSTEM-level escalation.
4. Malware Components:
   • SparrowDoor (aka HemiGate): Custom backdoor capable of executing commands, downloading/uploading files, creating proxies, and interacting with plugins. Two versions observed: A simple loader version and A modular version with dynamic plugin loading.
   • CrowDoor: A variant of SparrowDoor, previously identified by other vendors (Trend Micro) under the name “CrowDoor”, believed to be part of SparrowDoor’s evolution.
   • ShadowPad: A known modular backdoor used by Chinese APT groups.
   • Modified Spark RAT: Extended to include Go-based shellcode loader functionality.
   • Custom tools to dump credentials from LSASS memory.

Recommendations:

1. Ensure Microsoft IIS, Microsoft Exchange and Windows Servers are updated with the latest security patches.
2. Monitor unusual execution of the below binaries with adjacent malicious DLLs:
   • K7AVMScn.exe (K7 Antivirus)
   • imecmnt.exe or renamed imjp14k.exe
   • vlc-gen-cache.exe (VLC Cache Generator)
3. Monitor and restrict execution from paths like:
   • C:\users\public\
   • DesktopModules\ in DotNetNuke deployments
4. Hunt for These Behaviors:
   • PowerShell downloading files from external IPs
   • RC4-encrypted payloads or batch scripts using certutil.exe
   • Creation of mutexes named Global\ID(<PID>)
   • Unusual process trees involving colorcpl.exe, cmd.exe, wmplayer.exe
5. Inspect for TLS Certificate Spoofing: Look for self-signed certs mimicking trusted vendors (e.g., Dell), with SHA-1 fingerprint: BAED2895C80EB6E827A6D47C3DD7B8EFB61ED70B.
6. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/d7b0d438592ad4ff1a68e9b29f77b3cd8b2795310d2b199ab46833d8a9be05d1/iocs
• https://www.welivesecurity.com/en/eset-research/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.