{"id":5883,"date":"2021-10-04T10:25:00","date_gmt":"2021-10-04T07:25:00","guid":{"rendered":"https:\/\/blog.eset.ee\/?p=5883"},"modified":"2021-10-08T14:19:06","modified_gmt":"2021-10-08T11:19:06","slug":"famoussparrow-a-suspicious-hotel-guest","status":"publish","type":"post","link":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/","title":{"rendered":"FamousSparrow: A suspicious hotel guest"},"content":{"rendered":"\n<p>ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies worldwide. We have named this group FamousSparrow and we believe it has been active since at least 2019.<\/p>\n\n\n\n<p>Reviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that&nbsp;<a href=\"https:\/\/www.welivesecurity.com\/2021\/03\/10\/exchange-servers-under-siege-10-apt-groups\/\" target=\"_blank\" rel=\"noreferrer noopener\">we described extensively in March 2021<\/a>. As a reminder, this remote code execution vulnerability was used by more than 10 APT groups to take over Exchange mail servers worldwide. According to ESET telemetry, FamousSparrow started to exploit the vulnerabilities on March 3<sup>rd<\/sup>, 2021, the day following the release of the patch, so it is yet another APT group that had access to the ProxyLogon remote code execution vulnerability in March 2021.<\/p>\n\n\n\n<p>In this blogpost we will discuss the attribution to FamousSparrow and the group\u2019s victimology. This will be followed by a detailed technical analysis of the group\u2019s main backdoor that we have named SparrowDoor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">A note on attribution<\/h2>\n\n\n\n<p>FamousSparrow is a group that we consider as the only current user of the custom backdoor, SparrowDoor (which we cover in detail in the later sections of this blogpost). It also uses two custom versions of Mimikatz (see the<em>&nbsp;<a href=\"https:\/\/www.welivesecurity.com\/2021\/09\/23\/famoussparrow-suspicious-hotel-guest\/#Indicators%20of%20Compromise\">Indicators of Compromise<\/a><\/em>&nbsp;section) that could be used to connect incidents to this group.<\/p>\n\n\n\n<p>While we consider FamousSparrow to be a separate entity, we found connections to other known APT groups. In one case, attackers deployed a variant of Motnug that is a loader used by&nbsp;<a href=\"https:\/\/www.welivesecurity.com\/2021\/08\/24\/sidewalk-may-be-as-dangerous-as-crosswalk\/\" target=\"_blank\" rel=\"noreferrer noopener\">SparklingGoblin<\/a>. In another case, on a machine compromised by FamousSparrow, we found a running Metasploit with&nbsp;cdn.kkxx888666[.]com&nbsp;as its C&amp;C server. This domain is related to a group known as&nbsp;<a href=\"https:\/\/documents.trendmicro.com\/assets\/white_papers\/wp-uncovering-DRBcontrol.pdf\" target=\"_blank\" rel=\"noreferrer noopener\">DRBControl<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Victimology<\/h2>\n\n\n\n<p>The group has been active since at least August 2019 and it mainly targets hotels worldwide. In addition, we have seen a few targets in other sectors such as governments, international organizations, engineering companies and law firms in the following countries:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Brazil<\/li><li>Burkina Faso<\/li><li>South Africa<\/li><li>Canada<\/li><li>Israel<\/li><li>France<\/li><li>Guatemala<\/li><li>Lithuania<\/li><li>Saudi Arabia<\/li><li>Taiwan<\/li><li>Thailand<\/li><li>United Kingdom<\/li><\/ul>\n\n\n\n<p><a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/09\/Figure-1.-Geographic-distribution-of-FamousSparrow-targets.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"591\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-1.-Geographic-distribution-of-FamousSparrow-targets-768x591-1.png\" alt=\"\" class=\"wp-image-5886\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-1.-Geographic-distribution-of-FamousSparrow-targets-768x591-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-1.-Geographic-distribution-of-FamousSparrow-targets-768x591-1-166x128.png 166w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 1. Geographic distribution of FamousSparrow targets<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Compromise vector<\/h2>\n\n\n\n<p>In a few cases, we were able to find the initial compromise vector used by FamousSparrow and these systems were compromised through vulnerable internet-facing web applications. We believe FamousSparrow exploited known remote code execution vulnerabilities in Microsoft Exchange (including ProxyLogon in March 2021), Microsoft SharePoint and Oracle Opera (business software for hotel management), which were used to drop various malicious samples.<\/p>\n\n\n\n<p>Once the server is compromised, attackers deploy several custom tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A Mimikatz variant<\/li><li>A small utility that drops&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procdump\">ProcDump<\/a>&nbsp;on disk and uses it to dump the&nbsp;lsass&nbsp;process, probably in order to gather in-memory secrets, such as credentials<\/li><li><a href=\"http:\/\/www.unixwiz.net\/tools\/nbtscan.html\" target=\"_blank\" rel=\"noreferrer noopener\">Nbtscan<\/a>, a NetBIOS scanner<\/li><li>A loader for the SparrowDoor backdoor<\/li><\/ul>\n\n\n\n<p>Through our telemetry, we were able to recover only the loader component (SHA-1:&nbsp;E2B0851E2E281CC7BCA3D6D9B2FA0C4B7AC5A02B). We also found a very similar loader on VirusTotal (SHA-1:&nbsp;BB2F5B573AC7A761015DAAD0B7FF03B294DC60F6) that allowed us to find the missing components, including SparrowDoor.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SparrowDoor<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Loader<\/h3>\n\n\n\n<p>SparrowDoor is initially loaded via DLL search order hijacking, using three elements \u2013 a legitimate K7 Computing executable (Indexer.exe) used as the DLL hijacking host, a malicious DLL (K7UI.dll), and encrypted shellcode (MpSvc.dll) \u2013 all of which are dropped in&nbsp;%PROGRAMDATA%\\Software\\. It can be assumed that the command line argument used with the initial SparrowDoor execution, in order to set up persistence, is either nothing or anything but&nbsp;-i,&nbsp;-k&nbsp;or&nbsp;-d&nbsp;(the functionalities of these three arguments are explained below). Once persistence is set up, SparrowDoor is executed with the&nbsp;-i&nbsp;command line argument. Refer to Figure 2 for a brief overview of the flow of the initial loading process. If you would like an in-depth look into the loading process, continue reading!<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/09\/Figure-2.-SparrowDoor-staging.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"1024\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-2.-SparrowDoor-staging-768x1321-1-595x1024.png\" alt=\"\" class=\"wp-image-5889\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-2.-SparrowDoor-staging-768x1321-1-595x1024.png 595w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-2.-SparrowDoor-staging-768x1321-1-74x128.png 74w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-2.-SparrowDoor-staging-768x1321-1.png 768w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/figure>\n\n\n\n<p><em>Figure 2. SparrowDoor staging<\/em><\/p>\n\n\n\n<p>The legitimate executable,&nbsp;Indexer.exe, requires the library&nbsp;K7UI.dll&nbsp;to operate. Therefore, the OS looks for the DLL file in directories in the prescribed load order. Since the directory where the&nbsp;Indexer.exe&nbsp;file is stored is at the top priority in the load order, it is exposed to DLL search-order hijacking. And that is exactly how the malware gets loaded.&nbsp;Indexer.exe&nbsp;loads the malicious&nbsp;K7UI.dll, which in turn patches the code in&nbsp;Indexer.exe&nbsp;(from&nbsp;call WinMain&nbsp;to&nbsp;jmp K7UI.0x100010D0) and then returns to&nbsp;Indexer.exe. As a result of this,&nbsp;Indexer.exe&nbsp;ends up running a subroutine in&nbsp;K7UI.dll&nbsp;(located in the&nbsp;.text&nbsp;section) instead of calling&nbsp;WinMain. We will refer to this subroutine as&nbsp;<strong>launcher<\/strong>. The functionality of&nbsp;<strong>launcher<\/strong>&nbsp;is to load&nbsp;MpSvc.dll&nbsp;(the encrypted shellcode) into memory from the directory that also stores&nbsp;Indexer.exe, decrypt the content and then execute the shellcode.<\/p>\n\n\n\n<p>The shellcode (MpSvc.dll) is encrypted using four-byte XOR with the key being the first four bytes of the file.<\/p>\n\n\n\n<p>The&nbsp;MpSvc.dll&nbsp;shellcode loads various libraries responsible for building a PE structure and locates the addresses of the functions to be used. After that, it allocates RWX memory and copies various locations in the shellcode into it (in order to build the PE structure). It also resolves the imports of several functions from different libraries. Finally, it executes the newly built backdoor PE from the entry point. Interestingly, this rebuilt executable image has no PE headers, as shown in Figure 2, so the loader executes the backdoor by jumping to the entry point at a hardcoded offset within the allocated memory.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/09\/Figure-3.-The-PE-header-is-missing-in-the-newly-built-backdoor-from-the-MpSvc.dll-shellcode.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"696\" height=\"959\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-3.-The-PE-header-is-missing-in-the-newly-built-backdoor-from-the-MpSvc.dll-shellcode.png\" alt=\"\" class=\"wp-image-5892\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-3.-The-PE-header-is-missing-in-the-newly-built-backdoor-from-the-MpSvc.dll-shellcode.png 696w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-3.-The-PE-header-is-missing-in-the-newly-built-backdoor-from-the-MpSvc.dll-shellcode-93x128.png 93w\" sizes=\"auto, (max-width: 696px) 100vw, 696px\" \/><\/figure>\n\n\n\n<p><em>Figure 3. The PE header is missing in the newly built backdoor from the MpSvc.dll shellcode<\/em><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Backdoor<\/h3>\n\n\n\n<p>The arguments passed to the backdoor are inherited from the arguments passed to&nbsp;Indexer.exe, or to any other binary that gets the shellcode\/backdoor injected. The tasks performed by the backdoor after an argument is specified are shown in Table 1.<\/p>\n\n\n\n<p><em>Table 1. Actions performed based on the command line arguments provided to SparrowDoor<\/em><\/p>\n\n\n\n<figure id=\"tablepress-1000\" class=\"wp-block-table\"><table><thead><tr><th>Argument<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td>No argument or not matching the following<\/td><td>Persistence is set through the registry Run key and a service, which is created and started using the configuration data (described in the next section) hardcoded in the binary. Finally, the backdoor is restarted with the&nbsp;-i&nbsp;switch.<\/td><\/tr><tr><td>-i<\/td><td>The backdoor is restarted with the&nbsp;-k&nbsp;switch.<\/td><\/tr><tr><td>-k<\/td><td>The backdoor interpreter (described later) is called with a&nbsp;<strong>kill switch<\/strong>.<\/td><\/tr><tr><td>-d<\/td><td>The backdoor interpreter is called without a&nbsp;<strong>kill switch<\/strong>.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><em>Note:<\/em><\/p>\n\n\n\n<ol class=\"wp-block-list\"><li><em>The&nbsp;<strong>kill switch<\/strong>&nbsp;gives the backdoor the privilege to uninstall or restart SparrowDoor.<\/em><\/li><li><em>The backdoor interpreter gets called regardless of the argument used because it will always end up with a&nbsp;-k&nbsp;or&nbsp;-d&nbsp;argument.<\/em><\/li><\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><strong><em>Configuration data<\/em><\/strong><\/h4>\n\n\n\n<p>The configuration is found in the binary and is decrypted using the multi-byte XOR key&nbsp;^&amp;32yUgf. The configuration has the following format:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>1234567891011<\/td><td>struct config{char domain[64]; char user [64]; char pass[64];&nbsp;char ip[64];&nbsp;char port[2];&nbsp;char serviceName[64]; char serviceDisplayName[128];&nbsp;char serviceDescription[128];};<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The decrypted values are shown in Table 2.<\/p>\n\n\n\n<p><em>Table 2. The key-value pairs of the configuration along with a description of their purpose<\/em><\/p>\n\n\n\n<figure id=\"tablepress-1001\" class=\"wp-block-table\"><table><thead><tr><th>Key<\/th><th>Value<\/th><th>Purpose<\/th><\/tr><\/thead><tbody><tr><td>domain<\/td><td>credits.offices-analytics[.]com<\/td><td>C&amp;C server domain<\/td><\/tr><tr><td>user<\/td><td>user<\/td><td>Proxy settings used to connect to C&amp;C server<\/td><\/tr><tr><td>pass<\/td><td>pass<\/td><td><\/td><\/tr><tr><td>ip<\/td><td>127.1.1.1<\/td><td><\/td><\/tr><tr><td>port<\/td><td>8080<\/td><td><\/td><\/tr><tr><td>serviceName<\/td><td>WSearchIndex<\/td><td>Information used for creating a service to set up persistence. Also, note that the&nbsp;serviceName&nbsp;is used as the value name under the Run key in the registry<\/td><\/tr><tr><td>serviceDisplayName<\/td><td>Windows Search Index<\/td><td><\/td><\/tr><tr><td>serviceDescription<\/td><td>Provides content indexing, property caching, and search results for files, e-mail, and other content.<\/td><td><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The connections could be either through a proxy or not, and they connect to the C&amp;C server over port 443 (HTTPS). So, the communication should be encrypted using TLS. During the first attempt to contact the C&amp;C server, SparrowDoor checks whether a connection can be established without using a proxy, and if it can\u2019t, then the data is sent through a proxy. All outgoing data is encrypted using the XOR key&nbsp;hH7@83#mi&nbsp;and all incoming data is decrypted using the XOR key&nbsp;h*^4hFa. The data has a structure that starts with a Command ID, followed by the length of the ensuing encrypted data, followed by the encrypted data.<\/p>\n\n\n\n<p>Figure 4 shows an example of how the data is sent to the C&amp;C server (in this case it is sending system information), while Figure 5 shows the plaintext form of the same data payload.<a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/09\/Figure-4.-A-Wireshark-dump-showing-the-data-POSTed-by-the-backdoor.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"515\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-4.-A-Wireshark-dump-showing-the-data-POSTed-by-the-backdoor-768x515-1.png\" alt=\"\" class=\"wp-image-5895\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-4.-A-Wireshark-dump-showing-the-data-POSTed-by-the-backdoor-768x515-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-4.-A-Wireshark-dump-showing-the-data-POSTed-by-the-backdoor-768x515-1-190x128.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 4. A Wireshark dump showing the data POSTed by the backdoor<\/em><a  href=\"https:\/\/www.welivesecurity.com\/wp-content\/uploads\/2021\/09\/Figure-5.-The-decrypted-data-containing-system-information.png\" data-rel=\"lightbox-gallery-0\" data-rl_title=\"\" data-rl_caption=\"\" data-magnific_type=\"gallery\" title=\"\"><\/a><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"280\" src=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-5.-The-decrypted-data-containing-system-information-768x280-1.png\" alt=\"\" class=\"wp-image-5898\" srcset=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-5.-The-decrypted-data-containing-system-information-768x280-1.png 768w, https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/Figure-5.-The-decrypted-data-containing-system-information-768x280-1-190x69.png 190w\" sizes=\"auto, (max-width: 768px) 100vw, 768px\" \/><\/figure>\n\n\n\n<p><em>Figure 5. The decrypted data containing system information<\/em><\/p>\n\n\n\n<p><strong>Victim\u2019s local IP address<\/strong>&nbsp;in this case can be converted to decimal, giving 192.168.42.1.<\/p>\n\n\n\n<p><strong>Session ID<\/strong>&nbsp;is the Remote Desktop Services session ID associated with the backdoor process, found using the&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/processthreadsapi\/nf-processthreadsapi-processidtosessionid\" target=\"_blank\" rel=\"noreferrer noopener\">ProcessIdToSessionId<\/a>&nbsp;Windows API call.<\/p>\n\n\n\n<p>The&nbsp;<strong>systemInfoHash<\/strong>&nbsp;is computed via the&nbsp;<a href=\"http:\/\/www.cse.yorku.ca\/~oz\/hash.html#sdbm\" target=\"_blank\" rel=\"noreferrer noopener\">sdbm hash algorithm<\/a>, using the username, computer name, host addresses and the session ID.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><em><strong>Backdoor interpreter function<\/strong><\/em><\/h4>\n\n\n\n<p>Privilege escalation is performed in this function by adjusting the access token of the SparrowDoor process to enable&nbsp;SeDebugPrivilege. After that, the&nbsp;shutdown&nbsp;function (Ws2_32.dll) is patched to prevent disabling sends and receives on a socket and the&nbsp;closesocket&nbsp;function (Ws2_32.dll) is patched to enable the&nbsp;DONT_LINGER&nbsp;option first to close the socket without waiting for pending data to be sent or received. Finally, system information is sent to the C&amp;C server (as seen in Figures 4 and 5 above) to receive data back in return.<\/p>\n\n\n\n<p>Based on the Command ID field in the data received from the C&amp;C server, the backdoor can perform different malicious actions that are detailed in Table 3.<\/p>\n\n\n\n<p><em>Table 3. Actions performed by SparrowDoor when the corresponding Command IDs are received<\/em><\/p>\n\n\n\n<figure id=\"tablepress-1002\" class=\"wp-block-table\"><table><thead><tr><th>Command&nbsp;ID<\/th><th>Action<\/th><\/tr><\/thead><tbody><tr><td>0x1C615632<\/td><td>The current process is closed.<\/td><\/tr><tr><td>0x1DE15F35<\/td><td>A child&nbsp;svchost.exe&nbsp;process is spawned with&nbsp;processToken&nbsp;information of the process (Process ID) specified by the C&amp;C server, with argument&nbsp;-d&nbsp;and then the shellcode is injected into the process.<\/td><\/tr><tr><td>0x1A6B561A<\/td><td>A directory is created using the name provided by the C&amp;C server.<\/td><\/tr><tr><td>0x18695638<\/td><td>A file is renamed. Both the file to be renamed and the new name are provided by the C&amp;C server.<\/td><\/tr><tr><td>0x196A5629<\/td><td>A file is deleted, as specified in the incoming data.<\/td><\/tr><tr><td>0x17685647<\/td><td>If length of the data is 1, and the data matches&nbsp;$, then the length of&nbsp;<strong>systemInfoHash&nbsp;<\/strong>along with an array of drive types are sent.<br><br>If length of the data is greater than 2 and the first 2 bytes of data match&nbsp;$\\, then information about the files in a specified directory is sent. The information included is the following: file attributes, file size and file write time.<\/td><\/tr><tr><td>0x15665665<\/td><td>A new thread is created to exfiltrate the content of a specified file.<\/td><\/tr><tr><td>0x16675656<\/td><td>If the&nbsp;<strong>kill switch<\/strong>&nbsp;is activated, the current persistence settings (registry and service) are removed and the&nbsp;Indexer.exe&nbsp;file is executed (to restart the dropper). If not, the backdoor loop is restarted.<\/td><\/tr><tr><td>0x14655674<\/td><td>A new thread is created to write the data to a specified file.<\/td><\/tr><tr><td>0x12635692<\/td><td>If the&nbsp;<strong>kill switch<\/strong>&nbsp;is activated, the persistence settings are removed, and all the files used by SparrowDoor (Indexer.exe,&nbsp;K7UI.dll&nbsp;and&nbsp;MpSvc.dll) are removed. If not, the backdoor loop is restarted.<\/td><\/tr><tr><td>0x13645683<\/td><td>If the data matches&nbsp;&#8220;switch \u201d, then the backdoor is restarted with the&nbsp;-d&nbsp;switch.<br><br>If not, it spawns a&nbsp;cmd.exe&nbsp;shell, and sets up named pipes for input and output (used by the C&amp;C server) to establish an interactive reverse shell.<br><br>If the data matches&nbsp;Exit\\r\\n, then the spawned shell is terminated.<\/td><\/tr><tr><td>Other<\/td><td>Restarts the backdoor loop.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>FamousSparrow is yet another APT group that had access to the ProxyLogon remote code execution vulnerability early in March 2021. It has a history of leveraging known vulnerabilities in server applications such as SharePoint and Oracle Opera. This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all.<\/p>\n\n\n\n<p>The targeting, which includes governments worldwide, suggests that FamousSparrow\u2019s intent is espionage. We have highlighted some links to SparklingGoblin and DRBControl, but we don\u2019t consider that these groups are the same.<\/p>\n\n\n\n<p><em>A comprehensive list of Indicators of Compromise (IoCs) and samples can be found in&nbsp;<\/em><a href=\"https:\/\/github.com\/eset\/malware-ioc\/tree\/master\/famoussparrow\" target=\"_blank\" rel=\"noreferrer noopener\"><em>our GitHub repository<\/em><\/a><em>.<\/em><\/p>\n\n\n\n<p><em>For any inquiries, or to make sample submissions related to the subject, contact us at threatintel@eset.com.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Indicators of Compromise<a><\/a><\/h2>\n\n\n\n<figure id=\"tablepress-1003\" class=\"wp-block-table\"><table><thead><tr><th>SHA-1<\/th><th>Filename<\/th><th>ESET detection name<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>B9601E60F87545441BF8579B2F62668C56507F4A<\/td><td>p64.exe<br>debug.log<\/td><td>Win64\/Riskware.Mimikatz.H<\/td><td>Mimikatz<\/td><\/tr><tr><td>4DF896624695EA2780552E9EA3C40661DC84EFC8<\/td><td>p64.exe<br>debug.log<\/td><td>Win64\/Riskware.Mimikatz.H<\/td><td>Mimikatz<\/td><\/tr><tr><td>76C430B55F180A85F4E1A1E40E4A2EA37DB97599<\/td><td>dump.exe<\/td><td>Win64\/Kryptik.BSQ<\/td><td>Lsass dumper<\/td><\/tr><tr><td>873F98CAF234C3A8A9DB18343DAD7B42117E85D4<\/td><td>nbtscan.exe<\/td><td>Win32\/NetTool.Nbtscan.A<\/td><td>Nbtscan<\/td><\/tr><tr><td>FDC44057E87D7C350E6DF84BB72541236A770BA2<\/td><td>1.cab<\/td><td>Win32\/FamousSparrow.A<\/td><td>Dropper<\/td><\/tr><tr><td>C36ECD2E0F38294E1290F4B9B36F602167E33614<\/td><td>Indexer.exe<\/td><td>&#8211;<\/td><td>Legitimate K7 Computing binary<\/td><\/tr><tr><td>BB2F5B573AC7A761015DAAD0B7FF03B294DC60F6<\/td><td>K7UI.dll<\/td><td>Win32\/FamousSparrow.A<\/td><td>Loader<\/td><\/tr><tr><td>23E228D5603B4802398B2E7419187AEF71FF9DD5<\/td><td>MpSvc.dll<\/td><td><\/td><td>Encrypted shellcode<\/td><\/tr><tr><td>2560B7E28B322BB7A56D0B1DA1B2652E1EFE76EA<\/td><td>&#8211;<\/td><td>&#8211;<\/td><td>Decrypted shellcode<\/td><\/tr><tr><td>E2B0851E2E281CC7BCA3D6D9B2FA0C4B7AC5A02B<\/td><td>K7UI.dll<\/td><td>Win32\/FamousSparrow.B<\/td><td>Loader<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<figure id=\"tablepress-1004\" class=\"wp-block-table\"><table><thead><tr><th>Domain<\/th><th>IP address<\/th><th>Comment<\/th><\/tr><\/thead><tbody><tr><td>credits.offices-analytics[.]com<\/td><td>45.192.178[.]206<\/td><td>SparrowDoor C&amp;C server<\/td><\/tr><tr><td>&#8211;<\/td><td>27.102.113[.]240<\/td><td>Delivery domain<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">MITRE ATT&amp;CK techniques<\/h2>\n\n\n\n<p>This table was built using&nbsp;<a href=\"https:\/\/attack.mitre.org\/resources\/versions\/\">version 9<\/a>&nbsp;of the MITRE ATT&amp;CK framework.<\/p>\n\n\n\n<figure id=\"tablepress-1005\" class=\"wp-block-table\"><table><thead><tr><th>Tactic<\/th><th>ID<\/th><th>Name<\/th><th>Description<\/th><\/tr><\/thead><tbody><tr><td>Resource Development<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1588\/005\" rel=\"noreferrer noopener\" target=\"_blank\">T1588.005<\/a><\/td><td>Obtain Capabilities: Exploits<\/td><td>FamousSparrow used RCE vulnerabilities against Microsoft Exchange, SharePoint and Oracle Opera.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1583\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1583.001<\/a><\/td><td>Acquire Infrastructure: Domains<\/td><td>FamousSparrow purchased a domain at Hosting Concepts.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1583\/004\" rel=\"noreferrer noopener\" target=\"_blank\">T1583.004<\/a><\/td><td>Acquire Infrastructure: Server<\/td><td>FamousSparrow rented servers at Shanghai Ruisu Network Technology and DAOU TECHNOLOGY.<\/td><\/tr><tr><td>Initial Access<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1190\" rel=\"noreferrer noopener\" target=\"_blank\">T1190<\/a><\/td><td>Exploit Public-Facing Application<\/td><td>FamousSparrow used RCE vulnerabilities against Microsoft Exchange, SharePoint and Oracle Opera.<\/td><\/tr><tr><td>Execution<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1059\/003\" rel=\"noreferrer noopener\" target=\"_blank\">T1059.003<\/a><\/td><td>Command and Scripting Interpreter: Windows Command Shell<\/td><td>FamousSparrow used&nbsp;cmd.exe&nbsp;to run commands to download and install SparrowDoor.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1203\" rel=\"noreferrer noopener\" target=\"_blank\">T1203<\/a><\/td><td>Exploitation for Client Execution<\/td><td>FamousSparrow used RCE vulnerabilities in Microsoft Exchange, SharePoint and Oracle Opera to install SparrowDoor.<\/td><\/tr><tr><td>Persistence<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1547\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1547.001<\/a><\/td><td>Boot or Logon Autostart Execution: Registry Run Keys \/ Startup Folder<\/td><td>SparrowDoor achieves persistence through the HKCU Run registry value&nbsp;WSearchIndex =&nbsp;\\Indexer.exe -i&nbsp;registry entry.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1543\/003\" rel=\"noreferrer noopener\" target=\"_blank\">T1543.003<\/a><\/td><td>Create or Modify System Process: Windows Service<\/td><td>FamousSparrow installs SparrowDoor as a service named&nbsp;WSearchIndex.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1574\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1574.001<\/a><\/td><td>Hijack Execution Flow: DLL Search Order Hijacking<\/td><td>FamousSparrow loads the malicious&nbsp;K7UI.dll&nbsp;through DLL search order hijacking.<\/td><\/tr><tr><td>Defense Evasion<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1055\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1055.001<\/a><\/td><td>Process Injection: Dynamic-link Library Injection<\/td><td>MpSvc.dll&nbsp;(shellcode) is injected into processes by SparrowDoor.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1134\/002\" rel=\"noreferrer noopener\" target=\"_blank\">T1134.002<\/a><\/td><td>Access Token Manipulation: Create Process with Token<\/td><td>SparrowDoor creates processes with tokens of processes specified by the C&amp;C server, using the&nbsp;CreateProcessAsUserA&nbsp;API.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1134\" rel=\"noreferrer noopener\" target=\"_blank\">T1134<\/a><\/td><td>Access Token Manipulation<\/td><td>SparrowDoor tries to adjust its token privileges to receive&nbsp;SeDebugPrivilege.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1027\" rel=\"noreferrer noopener\" target=\"_blank\">T1027<\/a><\/td><td>Obfuscated Files or Information<\/td><td>The shellcode,&nbsp;MpSvc.dll, is encrypted using XOR, along with the config embedded within SparrowDoor.<\/td><\/tr><tr><td>Credentials Access<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1003\/\" rel=\"noreferrer noopener\" target=\"_blank\">T1003<\/a><\/td><td>OS Credential Dumping<\/td><td>FamousSparrow makes use of a custom Mimikatz version.<\/td><\/tr><tr><td>Discovery<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1082\" rel=\"noreferrer noopener\" target=\"_blank\">T1082<\/a><\/td><td>System Information Discovery<\/td><td>SparrowDoor collects the username, computername, RDP session ID, and drive types in the system and sends this data to the C&amp;C server.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1083\" rel=\"noreferrer noopener\" target=\"_blank\">T1083<\/a><\/td><td>File and Directory Discovery<\/td><td>SparrowDoor can probe files in a specified directory obtaining their names, attributes, sizes and last modified times, and sends this data to the C&amp;C server.<\/td><\/tr><tr><td>Collection<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1005\" rel=\"noreferrer noopener\" target=\"_blank\">T1005<\/a><\/td><td>Data from Local System<\/td><td>SparrowDoor has the ability to read file contents and exfiltrate them to the C&amp;C server.<\/td><\/tr><tr><td>Command and Control<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1071\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1071.001<\/a><\/td><td>Application Layer Protocol: Web Protocols<\/td><td>SparrowDoor communicates with the C&amp;C server using the HTTPS protocol.<\/td><\/tr><tr><td><\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1573\/001\" rel=\"noreferrer noopener\" target=\"_blank\">T1573.001<\/a><\/td><td>Encrypted Channel: Symmetric Cryptography<\/td><td>SparrowDoor encrypts\/decrypts communications with its C&amp;C server using different multi-byte XOR keys.<\/td><\/tr><tr><td>Exfiltration<\/td><td><a href=\"https:\/\/attack.mitre.org\/versions\/v9\/techniques\/T1041\" rel=\"noreferrer noopener\" target=\"_blank\">T1041<\/a><\/td><td>Exfiltration Over C2 Channel<\/td><td>SparrowDoor exfiltrates data over its C&amp;C channel.<\/td><\/tr><\/tbody><\/table><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies worldwide. We have named this group FamousSparrow and we believe it has been active since at least 2019. Reviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that&nbsp;we described extensively in March<\/p>\n","protected":false},"author":5,"featured_media":5901,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[160],"tags":[],"class_list":["post-5883","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.4) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>FamousSparrow: A suspicious hotel guest - ESET Eesti Blogi<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FamousSparrow: A suspicious hotel guest\" \/>\n<meta property=\"og:description\" content=\"ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies worldwide. We have named this group FamousSparrow and we believe it has been active since at least 2019. Reviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that&nbsp;we described extensively in March\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/\" \/>\n<meta property=\"og:site_name\" content=\"ESET Eesti Blogi\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/antiviirus\" \/>\n<meta property=\"article:published_time\" content=\"2021-10-04T07:25:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-10-08T11:19:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"ESET Blog\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ESET Blog\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/\"},\"author\":{\"name\":\"ESET Blog\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"headline\":\"FamousSparrow: A suspicious hotel guest\",\"datePublished\":\"2021-10-04T07:25:00+00:00\",\"dateModified\":\"2021-10-08T11:19:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/\"},\"wordCount\":2799,\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/famoussparrow-apt-group-targeting-hotels.jpg\",\"articleSection\":[\"malware\"],\"inLanguage\":\"en-US\",\"copyrightYear\":\"2021\",\"copyrightHolder\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/#organization\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/\",\"name\":\"FamousSparrow: A suspicious hotel guest - ESET Eesti Blogi\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/famoussparrow-apt-group-targeting-hotels.jpg\",\"datePublished\":\"2021-10-04T07:25:00+00:00\",\"dateModified\":\"2021-10-08T11:19:06+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#primaryimage\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/famoussparrow-apt-group-targeting-hotels.jpg\",\"contentUrl\":\"https:\\\/\\\/blog.eset.ee\\\/wp-content\\\/uploads\\\/2021\\\/10\\\/famoussparrow-apt-group-targeting-hotels.jpg\",\"width\":1920,\"height\":1080},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FamousSparrow: A suspicious hotel guest\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/\",\"name\":\"ESET Eesti Blogi\",\"description\":\"Uudised IT maailmast\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/#\\\/schema\\\/person\\\/876cf293277fc0b2ae2f4395fffe4c88\",\"name\":\"ESET Blog\",\"sameAs\":[\"http:\\\/\\\/eset.ee\"],\"url\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/author\\\/allankinsigo\\\/\"},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blog.eset.ee\\\/et\\\/en\\\/2021\\\/10\\\/04\\\/famoussparrow-a-suspicious-hotel-guest\\\/#local-main-organization-logo\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"ESET EESTI\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"FamousSparrow: A suspicious hotel guest - ESET Eesti Blogi","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/","og_locale":"en_US","og_type":"article","og_title":"FamousSparrow: A suspicious hotel guest","og_description":"ESET researchers have uncovered a new cyberespionage group targeting hotels, governments, and private companies worldwide. We have named this group FamousSparrow and we believe it has been active since at least 2019. Reviewing telemetry data during our investigation, we realized that FamousSparrow leveraged the Microsoft Exchange vulnerabilities known as ProxyLogon that&nbsp;we described extensively in March","og_url":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/","og_site_name":"ESET Eesti Blogi","article_publisher":"http:\/\/www.facebook.com\/antiviirus","article_published_time":"2021-10-04T07:25:00+00:00","article_modified_time":"2021-10-08T11:19:06+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg","type":"image\/jpeg"}],"author":"ESET Blog","twitter_card":"summary_large_image","twitter_misc":{"Written by":"ESET Blog","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#article","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/"},"author":{"name":"ESET Blog","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"headline":"FamousSparrow: A suspicious hotel guest","datePublished":"2021-10-04T07:25:00+00:00","dateModified":"2021-10-08T11:19:06+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/"},"wordCount":2799,"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg","articleSection":["malware"],"inLanguage":"en-US","copyrightYear":"2021","copyrightHolder":{"@id":"https:\/\/blog.eset.ee\/et\/#organization"}},{"@type":"WebPage","@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/","url":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/","name":"FamousSparrow: A suspicious hotel guest - ESET Eesti Blogi","isPartOf":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#primaryimage"},"image":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg","datePublished":"2021-10-04T07:25:00+00:00","dateModified":"2021-10-08T11:19:06+00:00","author":{"@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88"},"breadcrumb":{"@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#primaryimage","url":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg","contentUrl":"https:\/\/blog.eset.ee\/wp-content\/uploads\/2021\/10\/famoussparrow-apt-group-targeting-hotels.jpg","width":1920,"height":1080},{"@type":"BreadcrumbList","@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.eset.ee\/et\/en\/"},{"@type":"ListItem","position":2,"name":"FamousSparrow: A suspicious hotel guest"}]},{"@type":"WebSite","@id":"https:\/\/blog.eset.ee\/et\/en\/#website","url":"https:\/\/blog.eset.ee\/et\/en\/","name":"ESET Eesti Blogi","description":"Uudised IT maailmast","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.eset.ee\/et\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.eset.ee\/et\/en\/#\/schema\/person\/876cf293277fc0b2ae2f4395fffe4c88","name":"ESET Blog","sameAs":["http:\/\/eset.ee"],"url":"https:\/\/blog.eset.ee\/et\/en\/author\/allankinsigo\/"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.eset.ee\/et\/en\/2021\/10\/04\/famoussparrow-a-suspicious-hotel-guest\/#local-main-organization-logo","url":"","contentUrl":"","caption":"ESET EESTI"}]}},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/5883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/comments?post=5883"}],"version-history":[{"count":0,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/posts\/5883\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media\/5901"}],"wp:attachment":[{"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/media?parent=5883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/categories?post=5883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.eset.ee\/et\/en\/wp-json\/wp\/v2\/tags?post=5883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}