FamousSparrow
| Affiliated Intrusion Sets | TeleBoyi , SparklingGoblin |
|---|
FamousSparrow is a cyberespionage group originally identified by ESET. The group has been observed targeting hotels, governments, and private businesses worldwide
The group exploit vulnerabilities in order to gain initial access, with targeted software including Microsoft Exchange Server (and the ProxyLogon vulnerability), Microsoft SharePoint and Oracle Opera (business software used in hotel management).
The group employs a custom backdoor called SparrowDoor which allows attackers to almost fully control compromised machines, execute arbitrary commands, and exfiltrate files.
Victims have been identified in multiple countries, including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Lithuania, Guatemala, Saudi Arabia, Taiwan, Thailand, and the United Kingdom. Hotels appear to be prime targets for the group due to their ability to provide insights into travel habits and potential access to nonencrypted network traffic via Wi-Fi infrastructure.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
FamousSparrow Threat Reports
FamousSparrow: A suspicious hotel guest
This blog post by researchers from ESET describes the FamousSparrow APT group and associated custom backdoor 'SparrowDoor'. According to the post, ...
References
www.eset.com
https://www.eset.com/uk/about/newsroom/press-releases/eset-research-discovers-famoussparrow-apt-group/www.welivesecurity.com
https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/jsac.jpcert.or.jp
https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdfwww.ncsc.gov.uk
https://www.ncsc.gov.uk/report/mar-sparrowdoorMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1003 | OS Credential Dumping | Credential Access |
| T1588.005 | Exploits | Resource Development |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1071.001 | Web Protocols | Command and Control |
| T1082 | System Information Discovery | Discovery |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1543.003 | Windows Service | Persistence, Privilege Escalation |
| T1203 | Exploitation for Client Execution | Execution |
| T1134 | Access Token Manipulation | Defense Evasion, Privilege Escalation |
| T1134.002 | Create Process with Token | Defense Evasion, Privilege Escalation |
| T1059.003 | Windows Command Shell | Execution |
| T1583.001 | Domains | Resource Development |
| T1055.001 | Dynamic-link Library Injection | Defense Evasion, Privilege Escalation |
| T1083 | File and Directory Discovery | Discovery |
| T1583.004 | Server | Resource Development |
| T1005 | Data from Local System | Collection |
| T1573.001 | Symmetric Cryptography | Command and Control |
| T1041 | Exfiltration Over C2 Channel | Exfiltration |
| T1574.001 | DLL Search Order Hijacking | Defense Evasion, Persistence, Privilege Escalation |