Subj : Hackers target US financi To : All From : Mike Powell Date : Fri Mar 28 2025 10:28:00 Notorious Chinese hackers FamousSparrow allegedly target US financial firms Date: Thu, 27 Mar 2025 14:18:00 +0000 Description: The group was though to have retired - but it was just hiding really well. FULL STORY FamousSparrow, a Chinese state-sponsored threat actor thought to be retired, is not only active, but has been targeting government, financial organizations, and research institutes, for years now, experts have revealed. Cybersecurity researchers at ESET recently stumbled upon a new variant of FamousSparrows malware , leading them down a rabbit hole exposing the group's activities across the globe. ESET said that it was brought in by an unnamed trade group in the United States, operating in the financial sector, to assist with a malware infection. The investigators found two previously undocumented versions of SparrowDoor, FamousSparrows flagship backdoor. SparrowDoor ESET said that the group hasnt been heard of since 2022, which made the cybersecurity community think it was inactive. However, during that period, FamousSparrow targeted a government institution in Honduras, and a research institute in Mexico. In fact, the latter was breached just a couple of days prior to the compromise in the US (both had happened in July 2024). Both of these versions of SparrowDoor constitute marked progress over earlier iterations, especially in terms of code quality and architecture, and one implements parallelization of commands, ESET said. While these new versions exhibit significant upgrades, they can still be traced back directly to earlier, publicly documented versions. The loaders used in these attacks also present substantial code overlaps with samples previously attributed to FamousSparrow, says ESET researcher Alexandre Ct Cyr, who made the discovery. The investigators said they couldnt determine the initial infection vector, but added that the company used outdated versions of Windows Server and Microsoft Exchange, both of which have multiple, publicly available exploits. Whichever vulnerability they used, FamousSparrow deployed a webshell on an IIS server, gaining access and the ability to deploy additional payloads. Besides SparrowDoor, the group used ShadowPad, and other tools capable of running commands, keylogging, exfiltrating files, taking screenshots, and more. ====================================================================== Link to news story: https://www.techradar.com/pro/security/chinese-hackers-famoussparrow-allegedly -target-us-financial-firms $$ --- SBBSecho 3.20-Linux * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105) .