Security Experts:

Connect with us

Hi, what are you looking for?



FamousSparrow Cyberspies Exploit ProxyLogon in Attacks on Governments, Hotels

A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.

A cyberespionage group active since at least 2019 started exploiting ProxyLogon one day after the Microsoft Exchange vulnerability was publicly disclosed, ESET security researchers say.

Active since at least August 2019 and tracked as FamousSparrow, the group is mainly targeting hotels, but has also attacked government organizations, law firms, and international companies in roughly a dozen countries, including Brazil, Canada, Israel, Saudi Arabia, Taiwan, and the United Kingdom.

Starting March 3, the day after Microsoft announced that adversaries had been targeting multiple zero-day vulnerabilities in Exchange Server, FamousSparrow too started exploiting the remote code execution flaws tracked as ProxyLogon, ESET reveals.

The security firm considers FamousSparrow to be a separate threat actor from other adversaries, yet with some connections to known advanced persistent threat (APT) groups, including China-linked SparklingGoblin and DRBControl.

The cyberespionage group likely targeted vulnerabilities in Microsoft Exchange (including ProxyLogon), Microsoft SharePoint and Oracle Opera (hotel management software) to drop malicious tools, including Mimikatz, a small utility that drops ProcDump, the Nbtscan NetBIOS scanner, and a loader for SparrowDoor, the group’s custom backdoor.

The loader is responsible for setting up persistence, and SparrowDoor is restarted with a kill switch, to have the privilege to uninstall or restart the backdoor.

Commands supported by the malware allow it to close the current process, spawn a child svchost process, create a directory, rename or delete files, write data to a file, remove persistence settings, and restart the backdoor.

FamousSparrow’s fast access to the ProxyLogon vulnerabilities in early March, along with the group’s history of exploiting known security holes in server applications, show that organizations should patch internet-facing applications as soon as possible, or ensure that those assets are no longer exposed to the Internet.

“The targeting, which includes governments worldwide, suggests that FamousSparrow’s intent is espionage. We have highlighted some links to SparklingGoblin and DRBControl, but we don’t consider that these groups are the same,” ESET concludes.

Related: U.S., Allies Officially Accuse China of Microsoft Exchange Attacks

Related: Hundreds of Thousands of Credentials Leaked Due to Microsoft Exchange Protocol Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...