Researchers have identified a new hacker gang that is snooping on organizations all around the world.
The advanced persistent threat (APT) organization called FamousSparrow by ESET is a fresh arrival into the cyber espionage sector.
Governments, engineering businesses, international organizations, law firms, and the hotel industry from Europe, the United Kingdom, Israel, Saudi Arabia, Taiwan, Burkina Faso, West Africa, the United States, Brazil, Guatemala, and Canada have been targeted by this advanced APT, according to ESET.
Current threat data suggests FamousSparrow is a different organization from other active APTs. However, there appear to be some commonalities, ESET says. In one case, the exploit tools of threat actors were connected to the DRDControl APT through a command-and-control (C2) server. In another instance, it looked like a variation of the SparklingGoblin loader had been employed.
One thing that makes FamousSparrow of particular interest is that this new APT joined at least ten other APT organizations who exploited ProxyLogon flaws – a chain of zero-day vulnerabilities used to hack Microsoft Exchange servers throughout the world.
The APT prefers to target internet-facing applications as the first line of defense, which includes not just Microsoft Exchange servers but also Microsoft SharePoint and Oracle Opera.
FamousSparrow is the first known APT to employ a custom backdoor named SparrowDoor by ESET. This backdoor is installed by hijacking a loader along with a DLL search order, and once in place, a connection to the attacker’s C2 is established for data exfiltration.
Moreover, FamousSparrow owns two modified versions of Mimikatz, an open source post-exploitation password tool that hackers like to misuse. Upon initial infection, a version of this program is dumped, together with the NetBIOS scanner Nbtscan and a utility for capturing in-memory data, such as credentials.
ESET warns it is essential to immediately patch applications that use the Internet.