Openhunting Threat Library

SparrowDoor

SparrowDoor, FamousSparrow
(Type: Backdoor)

(ESET) The connections could be either through a proxy or not, and they connect to the C&C server over port 443 (HTTPS). So, the communication should be encrypted using TLS. During the first attempt to contact the C&C server, SparrowDoor checks whether a connection can be established without using a proxy, and if it can’t, then the data is sent through a proxy. All outgoing data is encrypted using the XOR key hH7@83#mi and all incoming data is decrypted using the XOR key h*^4hFa. The data has a structure that starts with a Command ID, followed by the length of the ensuing encrypted data, followed by the encrypted data.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
1
2021
1
2022


Trend Per Month
1
Sep 2021
1
Feb 2022



[News Analysis] News Mention Another Threat Name:

0 - SparrowDoor


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Malware Analysis Report: SparrowDoor

2022-02-28 by NCSC UK from NCSC UK

FamousSparrow: A suspicious hotel guest

2021-09-23 by Tahseen Bin Taj from ESET Research

Basic Information (Credit @etda.or.th)

Tool: SparrowDoor

Names: SparrowDoor, FamousSparrow

Description: (ESET) The connections could be either through a proxy or not, and they connect to the C&C server over port 443 (HTTPS). So, the communication should be encrypted using TLS. During the first attempt to contact the C&C server, SparrowDoor checks whether a connection can be established without using a proxy, and if it can’t, then the data is sent through a proxy. All outgoing data is encrypted using the XOR key hH7@83#mi and all incoming data is decrypted using the XOR key h*^4hFa. The data has a structure that starts with a Command ID, followed by the length of the ensuing encrypted data, followed by the encrypted data.

Category: Malware

Type: Backdoor

Information: https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door

Last-card-change: 2022-12-28

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact