Yet another APT group that exploited the ProxyLogon vulnerability in March 2021
ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies worldwide. We have named this group FamousSparrow and we believe it has been active since at least 2019.
Reviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that we described extensively in March 2021. As a reminder, this remote code execution vulnerability was used by more than 10 APT groups to take over Exchange mail servers worldwide. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3rd, 2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon remote code execution vulnerability in March 2021.
In this blogpost we will discuss the attribution to FamousSparrow and the group’s victimology. This will be followed by a detailed technical analysis of the group’s main backdoor that we have named SparrowDoor.
FamousSparrow is a group that we consider as the only current user of the custom backdoor, SparrowDoor (which we cover in detail in the later sections of this blogpost). It also uses two custom versions of Mimikatz (see the Indicators of Compromise section) that could be used to connect incidents to this group.
While we consider FamousSparrow to be a separate entity, we found connections to other known APT groups. In one case, attackers deployed a variant of Motnug that is a loader used by SparklingGoblin. In another case, on a machine compromised by FamousSparrow, we found a running Metasploit with cdn.kkxx888666[.]com as its C&C server. This domain is related to a group known as DRBControl.
The group has been active since at least August 2019 and it mainly targets hotels worldwide. In addition, we have seen a few targets in other sectors such as governments, international organizations, engineering companies and law firms in the following countries:
Figure 1. Geographic distribution of FamousSparrow targets
In a few cases, we were able to find the initial compromise vector used by FamousSparrow and these systems were compromised through vulnerable internet-facing web applications. We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples.
Once the server is compromised, attackers deploy several custom tools:
Through our telemetry, we were able to recover only the loader component (SHA-1: E2B0851E2E281CC7BCA3D6D9B2FA0C4B7AC5A02B). We also found a very similar loader on VirusTotal (SHA-1: BB2F5B573AC7A761015DAAD0B7FF03B294DC60F6) that allowed us to find the missing components, including SparrowDoor.
SparrowDoor is initially loaded via DLL search order hijacking, using three elements – a legitimate K7 Computing executable (Indexer.exe) used as the DLL hijacking host, a malicious DLL (K7UI.dll), and encrypted shellcode (MpSvc.dll) – all of which are dropped in %PROGRAMDATA%Software. It can be assumed that the command line argument used with the initial SparrowDoor execution, in order to set up persistence, is either nothing or anything but -i, -k or -d (the functionalities of these three arguments are explained below). Once persistence is set up, SparrowDoor is executed with the -i command line argument. Refer to Figure 2 for a brief overview of the flow of the initial loading process. If you would like an in-depth look into the loading process, continue reading!
Figure 2. SparrowDoor staging
The legitimate executable, Indexer.exe, requires the library K7UI.dll to operate. Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the Indexer.exe file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded. Indexer.exe loads the malicious K7UI.dll, which in turn patches the code in Indexer.exe (from call WinMain to jmp K7UI.0x100010D0) and then returns to Indexer.exe. As a result of this, Indexer.exe ends up running a subroutine in K7UI.dll (located in the .text section) instead of calling WinMain. We will refer to this subroutine as launcher. The functionality of launcher is to load MpSvc.dll (the encrypted shellcode) into memory from the directory that also stores Indexer.exe, decrypt the content and then execute the shellcode.
The shellcode (MpSvc.dll) is encrypted using four-byte XOR with the key being the first four bytes of the file.
The MpSvc.dll shellcode loads various libraries responsible for building a PE structure and locates the addresses of the functions to be used. After that, it allocates RWX memory and copies various locations in the shellcode into it (in order to build the PE structure). It also resolves the imports of several functions from different libraries. Finally, it executes the newly built backdoor PE from the entry point. Interestingly, this rebuilt executable image has no PE headers, as shown in Figure 2, so the loader executes the backdoor by jumping to the entry point at a hardcoded offset within the allocated memory.
Figure 3. The PE header is missing in the newly built backdoor from the MpSvc.dll shellcode
The arguments passed to the backdoor are inherited from the arguments passed to Indexer.exe, or to any other binary that gets the shellcode/backdoor injected. The tasks performed by the backdoor after an argument is specified are shown in Table 1.
Table 1. Actions performed based on the command line arguments provided to SparrowDoor
The configuration is found in the binary and is decrypted using the multi-byte XOR key ^&32yUgf. The configuration has the following format:
The decrypted values are shown in Table 2.
Table 2. The key-value pairs of the configuration along with a description of their purpose
The connections could be either through a proxy or not, and they connect to the C&C server over port 443 (HTTPS). So, the communication should be encrypted using TLS. During the first attempt to contact the C&C server, SparrowDoor checks whether a connection can be established without using a proxy, and if it can’t, then the data is sent through a proxy. All outgoing data is encrypted using the XOR key hH7@83#mi and all incoming data is decrypted using the XOR key h*^4hFa. The data has a structure that starts with a Command ID, followed by the length of the ensuing encrypted data, followed by the encrypted data.
Figure 4 shows an example of how the data is sent to the C&C server (in this case it is sending system information), while Figure 5 shows the plaintext form of the same data payload.
Figure 4. A Wireshark dump showing the data POSTed by the backdoor
Figure 5. The decrypted data containing system information
Victim’s local IP address in this case can be converted to decimal, giving 192.168.42.1.
Session ID is the Remote Desktop Services session ID associated with the backdoor process, found using the ProcessIdToSessionId Windows API call.
The systemInfoHash is computed via the sdbm hash algorithm, using the username, computer name, host addresses and the session ID.
Privilege escalation is performed in this function by adjusting the access token of the SparrowDoor process to enable SeDebugPrivilege. After that, the shutdown function (Ws2_32.dll) is patched to prevent disabling sends and receives on a socket and the closesocket function (Ws2_32.dll) is patched to enable the DONT_LINGER option first to close the socket without waiting for pending data to be sent or received. Finally, system information is sent to the C&C server (as seen in Figures 4 and 5 above) to receive data back in return.
Based on the Command ID field in the data received from the C&C server, the backdoor can perform different malicious actions that are detailed in Table 3.
Table 3. Actions performed by SparrowDoor when the corresponding Command IDs are received
FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera. This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.
The targeting, which includes governments worldwide, suggests that FamousSparrow’s intent is espionage. We have highlighted some links to SparklingGoblin and DRBControl, but we don’t consider that these groups are the same.
A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in our GitHub repository.
For any inquiries, or to make sample submissions related to the subject, contact us at firstname.lastname@example.org.
UPDATE (October 13th, 2021): The IP address 45.192.178[.]206 was removed from the Indicators of Compromise. This was a mistake on our end.
This table was built using version 9 of the MITRE ATT&CK framework.
Yet another APT group that exploited the ProxyLogon vulnerability in March 2021