{"id":2528,"date":"2025-03-28T11:59:57","date_gmt":"2025-03-28T11:59:57","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2528"},"modified":"2025-03-28T11:59:57","modified_gmt":"2025-03-28T11:59:57","slug":"salt-typhoon-may-have-upgraded-backdoors-for-efficiency-and-evasion","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2528","title":{"rendered":"Salt Typhoon may have upgraded backdoors for efficiency and evasion"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The notorious China-backed APT group, Salt Typhoon, appears to have upgraded its arsenal with enhanced backdoors, even as the US cranks up the pressure on Chinese espionage<\/a>.<\/p>\n

According to ESET Research, which tracks the threat group as FamousSparrow, the group has deployed two new versions of its SparrowDoor backdoor for modularity and parallel command execution.<\/p>\n

\u201cBoth of these versions of SparrowDoor constitute marked progress over earlier ones, especially in terms of code quality and architecture,\u201d ESET said in a blog post<\/a>. \u201cOne of them resembles the backdoor that researchers at Trend Micro called CrowDoor<\/em> and attributed to the Earth Estries APT group in November 2024.\u201c<\/p>\n

GhostSparrow \u2014 aka Salt Typhoon (Microsoft), Earth Estries (Trend Micro), Ghost Emperor (Kaspersky Labs), and UNC2286 (Mandiant) \u2014 has escalated cyber espionage, breaching US telecom networks<\/a> and accessing data on over a million individuals.<\/p>\n

New Variants feature parallel command execution<\/strong><\/h2>\n

One of the key features ESET reported on the two previously unseen variants is their ability to execute parallel commands. This means the new variants can execute tasks in parallel threads to enhance efficiency, evade detection, and maintain persistence.<\/p>\n

\u201cThe most significant change is the parallelization of time-consuming commands, such as file I\/O and the interactive shell,\u201d ESET said. \u201cThis allows the backdoor to continue handling new commands while those tasks are performed.\u201d<\/p>\n

The concurrent running of critical yet time consuming operations to new commands makes detection and disruption harder as tasks like data exfiltration or system modification continues uninterrupted even as backdoor analysis or interruption is attempted.<\/p>\n

Additionally, the new modularity introduced within the backdoor allows it to dynamically update configurations, switch between multiple C&C servers, and execute custom payloads without redeployment, according to ESET.<\/p>\n

New variants used in attacks on US and Mexican organizations<\/strong><\/h2>\n

ESET researchers reported spotting the SparrowDoor variants while investigating a security incident in July 2024 at a finance trade group operating in the US.<\/p>\n

\u201cWhile helping the affected entity remediate the compromise, we made the unexpected discovery in the victim\u2019s network,\u201d the researchers said. \u201cThis campaign is also the first documented time FamousSparrow used ShadowPad, a privately sold backdoor, known to only be supplied to China-aligned threat actors.\u201d<\/p>\n

The campaign extended to a breach of a research institute in Mexico, two days prior to the US compromise. When researchers fed the techniques and IoCs into a tracking system, it revealed additional activities, one of which was an attack on a government institute in Honduras. ESET is still investigating the others.<\/p>\n

While ESET attributes the July campaign to the entity it tracks as FamousSparrow with high confidence, the firm has reservations about identifying it as Microsoft\u2019s Salt Typhoon. \u201cThere are a few overlaps between the two but many discrepancies,\u201d it said. \u201cBased on our data and analysis of the publicly available reports, FamousSparrow appears to be its own distinct cluster with loose links to (Salt Typhoon),\u201d While Microsoft claims<\/a> Salt Typhoon is the same as FamousSparrow and GhostEmperor, the threat intelligence leader has yet to attribute any such activities as discovered by ESET researchers.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The notorious China-backed APT group, Salt Typhoon, appears to have upgraded its arsenal with enhanced backdoors, even as the US cranks up the pressure on Chinese espionage. According to ESET Research, which tracks the threat group as FamousSparrow, the group has deployed two new versions of its SparrowDoor backdoor for modularity and parallel command execution. […]<\/p>\n","protected":false},"author":0,"featured_media":2529,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2528","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2528"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2528"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2528\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2529"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}