TZUTC: -0500   
   MSGID: 723.consprcy@1:2320/105 2c4bfd1e   
   PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0   
   TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0   
   BBSID: CAPCITY2   
   CHRS: ASCII 1   
   Notorious Chinese hackers FamousSparrow allegedly target US financial firms   
      
   Date:   
   Thu, 27 Mar 2025 14:18:00 +0000   
      
   Description:   
   The group was though to have retired - but it was just hiding really well.   
      
   FULL STORY   
      
   FamousSparrow, a Chinese state-sponsored threat actor thought to be retired,   
   is not only active, but has been targeting government, financial   
   organizations, and research institutes, for years now, experts have revealed.    
      
   Cybersecurity researchers at ESET recently stumbled upon a new variant of   
   FamousSparrows malware , leading them down a rabbit hole exposing the group's   
   activities across the globe.    
      
   ESET said that it was brought in by an unnamed trade group in the United   
   States, operating in the financial sector, to assist with a malware    
   infection. The investigators found two previously undocumented versions of   
   SparrowDoor, FamousSparrows flagship backdoor.    
      
   SparrowDoor    
      
   ESET said that the group hasnt been heard of since 2022, which made the   
   cybersecurity community think it was inactive.    
      
   However, during that period, FamousSparrow targeted a government institution   
   in Honduras, and a research institute in Mexico.    
      
   In fact, the latter was breached just a couple of days prior to the    
   compromise in the US (both had happened in July 2024).    
      
   Both of these versions of SparrowDoor constitute marked progress over earlier   
   iterations, especially in terms of code quality and architecture, and one   
   implements parallelization of commands, ESET said.    
      
   While these new versions exhibit significant upgrades, they can still be   
   traced back directly to earlier, publicly documented versions. The loaders   
   used in these attacks also present substantial code overlaps with samples   
   previously attributed to FamousSparrow, says ESET researcher Alexandre Ct    
   Cyr, who made the discovery.    
      
   The investigators said they couldnt determine the initial infection vector,   
   but added that the company used outdated versions of Windows Server and   
   Microsoft Exchange, both of which have multiple, publicly available exploits.    
      
   Whichever vulnerability they used, FamousSparrow deployed a webshell on an    
   IIS server, gaining access and the ability to deploy additional payloads.    
      
   Besides SparrowDoor, the group used ShadowPad, and other tools capable of   
   running commands, keylogging, exfiltrating files, taking screenshots, and   
   more.   
      
   ======================================================================   
   Link to news story:   
   https://www.techradar.com/pro/security/chinese-hackers-famoussparrow-allegedly   
   -target-us-financial-firms   
      
   $$   
   --- SBBSecho 3.20-Linux   
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)   
   SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30   
   SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664   
   SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45   
   SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35   
   PATH: 2320/105 229/426