CrowDoor and attributed to the Earth Estries APT group in November 2024.”GhostSparrow, aka Salt Typhoon (Microsoft), Earth Estries (Trend Micro), Ghost Emperor (Kaspersky Labs), and UNC2286 (Mandiant), has escalated cyber espionage, breaching US telecom networks and accessing data on over a million individuals. One of the key features ESET reported on the two previously unseen variants is their ability to execute parallel commands. This means the new variants can execute tasks in parallel threads to enhance efficiency, evade detection, and maintain persistence.”The most significant change is the parallelization of time-consuming commands, such as file I/O and the interactive shell,” ESET said. “This allows the backdoor to continue handling new commands while those tasks are performed.”The concurrent running of critical yet time consuming operations to new commands makes detection and disruption harder as tasks like data exfiltration or system modification continues uninterrupted even as backdoor analysis or interruption is attempted.Additionally, the new modularity introduced within the backdoor allows it to dynamically update configurations, switch between multiple C&C servers, and execute custom payloads without redeployment, according to ESET. New variants used in attacks on US and Mexican organizations: ESET researchers reported spotting the SparrowDoor variants while investigating a security incident in July 2024 at a finance trade group operating in the US.”While helping the affected entity remediate the compromise, we made the unexpected discovery in the victim’s network,” the researchers said. “This campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor, known to only be supplied to China-aligned threat actors.”The campaign extended to a breach of a research institute in Mexico, two days prior to the US compromise. When researchers fed the techniques and IoCs into a tracking system, it revealed additional activities, one of which was an attack on a government institute in Honduras. ESET is still investigating the others.While ESET attributes the July campaign to the entity it tracks as FamousSparrow with high confidence, the firm has reservations about identifying it as Microsoft’s Salt Typhoon. “There are a few overlaps between the two but many discrepancies,” it said. “Based on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to (Salt Typhoon),” While Microsoft claims Salt Typhoon is the same as FamousSparrow and GhostEmperor, the threat intelligence leader has yet to attribute any such activities as discovered by ESET researchers.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3856291/salt-typhoon-may-have-upgraded-backdoors-for-efficiency-and-evasion.html
