News

FamousSparrow attacking hotels around the world

ESET has discovered a new APT group, FamousSparrow, which has existed since at least 2019 and has been targeting hotels, international organizations, engineering firms and law firms around the world. FamousSparrow is believed to be involved in cyber espionage.

The victims of the hack group are in Europe (France, Lithuania, UK), the Middle East (Israel, Saudi Arabia), America (Brazil, Canada, Guatemala), Asia (Taiwan) and Africa (Burkina Faso), experts say.

Basically, the grouping attacks follow the same pattern: the group uses vulnerabilities in web applications to penetrate the networks of its victims. Among the vulnerabilities exploited by cybercriminals are bugs in Microsoft Exchange, SharePoint and Oracle Opera (hotel software).

It is emphasized that FamouseSparrow was one of the first APTs to organize attacks on ProxyLogon vulnerabilities found in Microsoft Exchange mail servers.

According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3rd, 2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon remote code execution vulnerability in March 2021.ESET specialists report.

Once secured in the victim’s network, the attackers deploy a special SparrowDoor backdoor, which they use as a reference point for further movement in the compromised organization’s network, using publicly available tools, including Mimikatz and Metasploit.

ESET writes that FamousSparrow has used tools previously associated with spy operations by other hack groups, including DRDControl and SparklingGoblin, but researchers are not yet ready to report on any specific attribution of the group.

While we consider FamousSparrow to be a separate entity, we found connections to other known APT groups. In one case, attackers deployed a variant of Motnug that is a loader used by SparklingGoblin. In another case, on a machine compromised by FamousSparrow, we found a running Metasploit with cdn.kkxx888666[.]com as its C&C server. This domain is related to a group known as DRBControl.ESET specialists explained.

By the way, we wrote that Symantec warned that Booking hotels and online check-ins on flights are unsafe.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)
Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Recent Posts

Remove Pbmsoultions pop-up ads (Virus Removal Guide)

Pbmsoultions.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Prizestash pop-up ads (Virus Removal Guide)

Prizestash.com is a site that tries to trick you into subscribing to its browser notifications…

2 days ago

Remove Verifiedbreaking pop-up ads (Virus Removal Guide)

Verifiedbreaking.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove Themoneyminutes pop-up ads (Virus Removal Guide)

Themoneyminutes.com is a domain that tries to force you into subscribing to its browser notifications…

2 days ago

Remove News-xcidizi pop-up ads (Virus Removal Guide)

News-xcidizi.com is a domain that tries to trick you into clik to its browser notifications…

2 days ago

Remove Everytraffic-flow pop-up ads (Virus Removal Guide)

Everytraffic-flow.com is a domain that tries to trick you into subscribing to its browser notifications…

2 days ago