| Name | Sparrowdoor |
| Associated Groups | FamousSparrow APT |
| Type of Malware | Backdoor Malware |
| Date of Initial Activity | 2021 |
| Motivation | Espionage, steal information |
| Attack Vectors | Vulnerable internet-facing web applications, exploited known remote code execution vulnerabilities in Microsoft Exchange, ProxyLogon, Microsoft SharePoint and Oracle Opera |
| Targeted System | Windows |
Overview
SparrowDoor is an advanced backdoor used by the FamousSparrow APT group to spy on hotels, governments and more. It was spotted exploiting the Microsoft Exchange ProxyLogon vulnerability around March 2021. The backdoor is loaded using DLL Hijacking combined with a legitimate binary, to help bypass AV products.
Targets
Mainly Hotels,and other sectors such as governments, international organizations, engineering companies and law firm. Targets Regular Users from Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand and United Kingdom.
Tools/ Techniques Used
SparrowDoor is a persistent 32-bit loader and backdoor targeting the Windows operating system. The backdoor can be tasked with various commands, such as opening a reverse shell connection with the configured C2 server or exfiltrating data.
There are numerous design features included in the malware to evade detection and frustrate analysis. Once the server is compromised, attackers deploy several custom tools: A Mimikatz variant, A small utility that drops ProcDump on disk and uses it to dump the lsass process, probably in order to gather in-memory secrets, such as credentials, Nbtscan, a NetBIOS scanner, A loader for the SparrowDoor backdoor. SparrowDoor is initially loaded via DLL search order hijacking, using three elements – a legitimate K7 Computing executable (Indexer.exe) used as the DLL hijacking host, a malicious DLL (K7UI.dll), and encrypted shellcode (MpSvc.dll) – all of which are dropped in %PROGRAMDATA%\Software\.
In 2022, Trellix discovered A new variant of SparrowDoor was discovered containing a new functionality. The malware performs reflective loading of the payload, uses multiple defense techniques, uses HTTPS for command-and-control communication, and can open a reverse shell.
A new Windows service or registry run key is used for persistence while token impersonation, dll side-loading, process injection, masquerading, and signed binary proxy execution are used for defense evasion.
