Full Report
A technical analysis of a new variant of the SparrowDoor malware.
Analysis Summary
# Tool/Technique: SparrowDoor
## Overview
SparrowDoor is a sophisticated loader and backdoor discovery that provides persistent access to compromised Windows environments. It is designed to act as a pivot point for attackers, allowing for secondary payload delivery, data exfiltration, and extensive system monitoring. This specific 2021 variant identified by the NCSC includes upgraded features for stealth and credential theft compared to earlier versions reported by ESET.
## Technical Details
- **Type:** Malware Family (Backdoor / Loader)
- **Platform:** Windows
- **Capabilities:** Persistent access, C2 communication, API hooking, credential theft, and AV evasion.
- **First Seen:** Variant identified on UK networks in 2021 (Earlier versions reported by ESET in Sept 2021).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1140 - Deobfuscate/Decode Files or Information
- T1056.004 - Input Capture: Credential API Hooking
- T1562.001 - Impair Defenses: Disable or Evade Anti-Virus
- **TA0006 - Credential Access**
- T1134 - Access Token Manipulation
- T1056.002 - Input Capture: GUI Input Capture (Clipboard)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (HTTPS)
- T1573.001 - Communication Layer Encryption: Symmetric Cryptography (XOR)
## Functionality
### Core Capabilities
- **C2 Communication:** Utilizes HTTPS as a transport layer for command and control.
- **Data Encoding:** Employs XOR encoding for the C2 channel data hidden underneath the standard HTTPS encryption to bypass deep packet inspection.
- **Persistence:** Establishes itself within the system to survive reboots, typically through registry modifications or startup execution.
### Advanced Features
- **Inline API Hooking:** Hooks Windows API functions to intercept system calls, modify return values, or hide its presence from the OS.
- **Token Impersonation:** Capable of stealing and using security tokens of logged-in users to escalate privileges or move laterally.
- **Clipboard Logging:** Monitors and captures data copied to the system clipboard to harvest passwords or sensitive information.
- **AV Detection:** Actively scans for and identifies installed security software to adapt its evasion techniques.
## Indicators of Compromise
*Note: Due to the summary nature of the source landing page, specific hashes should be retrieved from the attached CSV provided by NCSC.*
- **File Hashes:** Refer to `NCSC-MAR-SparrowDoor-indicators.csv` for full list of MD5/SHA256.
- **File Names:** Frequently resides in application data folders; specific names vary by deployment.
- **Network Indicators:**
- C2 Traffic: HTTPS-based traffic to attacker-controlled domains (Refer to NCSC STIX feed for specific defanged domains such as `example[.]com`).
- Encoding: Look for non-standard XOR-encoded blobs within HTTPS POST/GET requests.
- **Behavioral Indicators:**
- Unusual registry modifications in `Run` or `RunOnce` keys.
- Process injection or unexpected API hooking in standard Windows processes (`explorer.exe`, `svchost.exe`).
## Associated Threat Actors
- **Group:** Historically linked to activities targeting Southeast Asian entities (as per ESET), though the specific group identity for the UK variant remains under investigation by national authorities.
## Detection Methods
- **Signature-based detection:** Use the provided YARA rules (`NCSC-MAR-SparrowDoor-yara.txt`) to scan file systems and memory.
- **Behavioral detection:** Monitor for unauthorized token manipulation and unauthorized calls to clipboard APIs.
- **SIEM/Sigma:** Implement the NCSC's provided Sigma rules to detect suspicious process execution patterns and registry persistence.
## Mitigation Strategies
- **Endpoint Protection:** Ensure EDR/AV solutions are updated to detect the specific heuristics of SparrowDoor's API hooking.
- **Identity Management:** Enforce the principle of least privilege to mitigate the impact of token impersonation.
- **Network Defense:** Use TLS inspection (where privacy laws allow) to identify XOR-encoded patterns within HTTPS traffic.
- **System Hardening:** Monitor and restrict write access to common persistence locations like Registry Run keys.
## Related Tools/Techniques
- **Cobalt Strike:** Often used in conjunction with loaders like SparrowDoor for lateral movement.
- **XOR Encoding:** A common obfuscation technique used by various APT-aligned backdoors to mask C2 traffic.