FamousSparrow attacking hotels around the world

ESET has discovered a new APT group, FamousSparrow, which has existed since at least 2019 and has been targeting hotels, international organizations, engineering firms and law firms around the world. FamousSparrow is believed to be involved in cyber espionage.

The victims of the hack group are in Europe (France, Lithuania, UK), the Middle East (Israel, Saudi Arabia), America (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso), experts say.


Basically, the grouping attacks follow the same pattern: the group uses vulnerabilities in web applications to penetrate the networks of its victims. Among the vulnerabilities exploited by cybercriminals are bugs in Microsoft Exchange, SharePoint and Oracle Opera (hotel software).

It is emphasized that FamouseSparrow was one of the first APTs to organize attacks on ProxyLogon vulnerabilities found in Microsoft Exchange mail servers.

According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3rd, 2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon remote code execution vulnerability in March 2021.ESET specialists report.

Once secured in the victim’s network, the attackers deploy a special SparrowDoor backdoor, which they use as a reference point for further movement in the compromised organization’s network, using publicly available tools, including Mimikatz and Metasploit.

ESET writes that FamousSparrow has used tools previously associated with spy operations by other hack groups, including DRDControl and SparklingGoblin, but researchers are not yet ready to report on any specific attribution of the group.

While we consider FamousSparrow to be a separate entity, we found connections to other known APT groups. In one case, attackers deployed a variant of Motnug that is a loader used by SparklingGoblin. In another case, on a machine compromised by FamousSparrow, we found a running Metasploit with cdn.kkxx888666[.]com as its C&C server. This domain is related to a group known as DRBControl.ESET specialists explained.

By the way, we wrote that Symantec warned that Booking hotels and online check-ins on flights are unsafe.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button