SparrowDoor

SparrowDoor is the main threat used by a newly discovered APT (Advanced Persistent Threat) group tracked as FamousSparrow. The hackers appear to be targeting hotels across the globe with the intention of siphoning data. On separate occasions, FamousSparrow also has compromised engineering companies, law firms and government organizations. 

The Deployment of SparrowDoor

The SparrowDoor backdoor is delivered to the victim's machine via a loader employing DLL hijacking. The loader uses three elements - a legitimate K& Computing executable file (Indexer.exe), a corrupted DLL file (K7UI.dll), and an encrypted shellcode (MpSvc.dll). All three are dropped in the %PROGRAMDATA%\Software\ folder. 

To establish persistence, SparrowDoor relies on a Registry Run key, and a service created and launched using the configuration data hardcoded into the malware's binary. Afterward, it attempts to escalate its privileges by adjusting the access token of its process. The final step includes sending system data to the Command-and-Control (C2, C&C) server and then waiting for incoming commands. 

Threatening Functionality

SparrowDoor recognizes over 10 different commands. It can manipulate the file system on the compromised machine - creating, renaming and deleting files. It also van exfiltrate various data to the server, including file information (file attributes, file size, and file write time) and the contents of specified files. The malware can terminate current processes and establish an interactive reverse shell. If the hackers need to mask their traces, they can instruct SparrowDoor to remove its persistence mechanism and delete its files.