Description of Campaign
A new variant of SparrowDoor was discovered containing a new functionality. The malware performs reflective loading of the payload, uses multiple defense techniques, uses HTTPS for command-and-control communication, and can open a reverse shell. A new Windows service or registry run key is used for persistence while token impersonation, dll side-loading, process injection, masquerading, and signed binary proxy execution are used for defense evasion.

Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by the National Cyber Security Centre (NCSC) and shared publicly.

How to use this article:

1. Scroll down and review the Product Countermeasures section of this article. Consider implementing them if they are not already in place.
2. Review the following articles:
   • KB87843 - Dynamic Application Containment rules and best practices
   • KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event 

Threat Hunting

YARA	rule SparrowDoor_apipatch { meta: author = "NCSC" description = "Identifies code segments in SparrowDoor responsible for patching APIs. No MZ/PE match as the backdoor has no header. Targeting in memory." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" strings: $save = {8B 06 89 07 8A 4E 04} // save off first 5 bytes of function $vp_1 = {89 10 8A 4E 04 8B D6 2B D0 88 48 04 83 EA 05 C6 40 05 E9 89 50 06} // calculate long jump $vp_2 = {50 8B D6 6A 40 2B D7 88 4F 04 83 EA 05 6A 05 C6 47 05 E9 89 57 06 56} // calculate long jump 2 $vp_3 = {51 52 2B DE 6A 05 83 EB 05 56 C6 06 E9 89 5E 01} // restore memory protections $va = {6A 40 68 00 10 00 00 68 00 10 00 00 6A 00} // virtually alloc set size, allocation and protection $s_patch = {50 68 7F FF FF FF 68 FF FF 00 00 56} // socket patch SO_DONTLINGER condition: 3 of them }
YARA	rule SparrowDoor_clipshot { meta: author = "NCSC" description = "The SparrowDoor loader contains a feature it calls clipshot, which logs clipboard data to a file." date = "2022-02-28" hash1 = "989b3798841d06e286eb083132242749c80fdd4d" strings: $exsting_cmp = {8B 1E 3B 19 75 ?? 83 E8 04 83 C1 04 83 C6 04 83 F8 04} // comparison routine for previous clipboard data $time_format_string = "%d/%d/%d %d:%d" ascii $cre_fil_args = {6A 00 68 80 00 00 00 6A 04 6A 00 6A 02 68 00 00 00 40 52} condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and all of them and (pe.imports("User32.dll","OpenClipboard") and pe.imports("User32.dll","GetClipboardData") and pe.imports("Kernel32.dll","GetLocalTime") and pe.imports("Kernel32.dll","GlobalSize")) }
YARA	rule SparrowDoor_config { meta: author = "NCSC" description = "Targets the XOR encoded loader config and shellcode in the file libhost.dll using the known position of the XOR key." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" condition: (uint16(0) != 0x5A4D) and (uint16(0) != 0x8b55) and (uint32(0) ^ uint32(0x4c) == 0x00) and (uint32(0) ^ uint32(0x34) == 0x00) and (uint16(0) ^ uint16(0x50) == 0x8b55) }
YARA	rule SparrowDoor_loader { meta: author = "NCSC" description = "Targets code features of the SparrowDoor loader. This rule detects the previous variant and this new variant." date = "2022-02-28" hash1 = "989b3798841d06e286eb083132242749c80fdd4d" strings: $xor_algo = {8B D0 83 E2 03 8A 54 14 10 30 14 30 40 3B C1} $rva = {8D B0 [4] 8D 44 24 ?? 50 6A 40 6A 05 56} // load RVA of process exe $lj = {2B CE 83 E9 05 8D [3] 52 C6 06 E9 89 4E 01 8B [3] 50 6A 05 56} // calculate long jump condition: (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and all of them }
YARA	rule SparrowDoor_shellcode { meta: author = "NCSC" description = "Targets code features of the reflective loader for SparrowDoor. Targeting in memory." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" strings: $peb = {8B 48 08 89 4D FC 8B 51 3C 8B 54 0A 78 8B 74 0A 20 03 D1 03 F1 B3 64} $getp_match = {8B 06 03 C1 80 38 47 75 34 80 78 01 65 75 2E 80 78 02 74 75 28 80 78 03 50 75 22 80 78 04 72 75 1C 80 78 06 63 75 16 80 78 05 6F 75 10 80 78 07 41 75 0A} $k_check = {8B 48 20 8A 09 80 F9 6B 74 05 80 F9 4B 75 05} $resolve_load_lib = {C7 45 C4 4C 6F 61 64 C7 45 C8 4C 69 62 72 C7 45 CC 61 72 79 41 C7 45 D0 00 00 00 00 FF 75 FC FF 55 E4} condition: 3 of them }
YARA	rule SparrowDoor_sleep_routine { meta: author = "NCSC" description = "SparrowDoor implements a Sleep routine with value seeded on GetTickCount. This signature detects the previous and this variant of SparrowDoor. No MZ/PE match as the backdoor has no header. Targeting in memory." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" strings: $sleep = {FF D7 33 D2 B9 [4] F7 F1 81 C2 [4] 8B C2 C1 E0 04 2B C2 03 C0 03 C0 03 C0 50} condition: all of them }
YARA	rule SparrowDoor_xor { meta: author = "NCSC" description = "Highlights XOR routines in SparrowDoor. No MZ/PE match as the backdoor has no header. Targeting in memory." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" strings: $xor_routine_outbound = {B8 39 8E E3 38 F7 E1 D1 EA 8D 14 D2 8B C1 2B C2 8A [4] 00 30 14 39 41 3B CE} $xor_routine_inbound = {B8 25 49 92 24 F7 E1 8B C1 2B C2 D1 E8 03 C2 C1 E8 02 8D 14 C5 [4] 2B D0 8B C1 2B C2} $xor_routine_config = {8B D9 83 E3 07 0F [6] 30 18 8D 1C 07 83 E3 07 0F [6] 30 58 01 8D 1C 28 83 E3 07 0F [6] 30 58 02 8D 1C 02 83 E3 07 0F [6] 30 58 03 8B DE 83 E3 07 0F [6] 30 58 04 83 C6 05 83 C1 05} condition: 2 of them }
YARA	rule SparrowDoor_strings { meta: author = "NCSC" description = "Strings that appear in SparrowDoor's backdoor. Targeting in memory." date = "2022-02-28" hash1 = "c1890a6447c991880467b86a013dbeaa66cc615f" strings: $reg = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" ascii $http_headers = {55 73 65 72 2D 41 67 65 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 35 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 2E 30 29 0D 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 3A 20 65 6E 2D 55 53 0D 0A 41 63 63 65 70 74 3A 20 2A 2F 2A 0D 0A} $http_proxy = "HTTPS=HTTPS://%s:%d" ascii $debug = "SeDebugPrivilege" ascii $av1 = "avp.exe" ascii // Kaspersky $av2 = "ZhuDongFangYu.exe" ascii // Qihoo360 $av3 = "egui.exe" ascii // ESET $av4 = "TMBMSRV.exe" ascii // Trend Micro $av5 = "ccSetMgr.exe" ascii // Norton $clipshot = "clipshot" ascii $ComSpec = "ComSpec" ascii $export = "curl_easy_init" ascii condition: 10 of them }

This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
 
Campaign IOC

Type	Value
HOSTNAME	cdn181.awsdns-531.com

Minimum set of Manual Rules to improve protection to block this campaign:

IMPORTANT: Always follow best practices when you enable new rules and signatures.

When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.

For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.

Endpoint Security - Advanced Threat Protection: