New FamousSparrow hacking group caught targeting hotels

A laptop on a table with the Microsoft Exchange logo displayed
(Image credit: Shutterstock)

Security researchers have revealed that a new hacking group dubbed FamousSparrow has been attacking hotels worldwide since 2019. The cyber criminals have also targeted law firms, governments, and private companies.

Security researchers at Eset said the group deals in cyber espionage and telemetry data and used the Microsoft Exchange vulnerabilities known as ProxyLogon. This is a remote code execution vulnerability used by more than 10 APT groups to take over Exchange mail servers worldwide.

The group has used the flaw since March 3, only a day after Microsoft released security patches for them.

The APT group has targeted victims from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the UK.

The gang uses a custom backdoor, dubbed SparrowDoor in its attacks, and two custom versions of Mimikatz. Researchers also discovered a link between FamousSparrow and other APT groups, such as SparklingGoblin and the DRBControl group.

In a few cases, the researchers found the initial compromise vector used by FamousSparrow and systems compromised through vulnerable internet-facing web applications.

“We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples,” the researchers added.


Optimising performance with frequent server replacements for enterprises

Learn more about Dell Technologies solutions powered by Intel®


Once a server is compromised, hackers deploy customer tools, such as a Mimikatz variant, a small utility that drops ProcDump on disk and uses it to dump the lsass process, Nbtscan, a NetBIOS scanner, and a loader for the SparrowDoor backdoor.

The SparrowDoor backdoor is initially loaded via DLL search order hijacking. This then makes a connection to the hackers’ C2 for data exfiltration. The backdoor can also create directories, read and write files, and exfiltrate data. There is also a kill switch that gives the backdoor the privilege to uninstall or restart SparrowDoor.

“FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera,” said researchers. “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.”

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.