FamousSparrow

FamousSparrow is a cyberespionage group originally identified by ESET. The group has been observed targeting hotels, governments, and private businesses worldwide

The group exploit vulnerabilities in order to gain initial access, with targeted software including Microsoft Exchange Server (and the ProxyLogon vulnerability), Microsoft SharePoint and Oracle Opera (business software used in hotel management).

The group employs a custom backdoor called SparrowDoor which allows attackers to almost fully control compromised machines, execute arbitrary commands, and exfiltrate files.

Victims have been identified in multiple countries, including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Lithuania, Guatemala, Saudi Arabia, Taiwan, Thailand, and the United Kingdom. Hotels appear to be prime targets for the group due to their ability to provide insights into travel habits and potential access to nonencrypted network traffic via Wi-Fi infrastructure.

www.trendmicro.com

https://www.trendmicro.com/en_us/research/24/k/earth-estries.html

learn.microsoft.com

https://learn.microsoft.com/en-us/defender-xdr/microsoft-threat-actor-naming

www.eset.com

https://www.eset.com/uk/about/newsroom/press-releases/eset-research-discovers-famoussparrow-apt-group/

jsac.jpcert.or.jp

https://jsac.jpcert.or.jp/archive/2024/pdf/JSAC2024_1_8_yi-chin_yu-tung_en.pdf

www.welivesecurity.com

https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

www.ncsc.gov.uk

https://www.ncsc.gov.uk/report/mar-sparrowdoor