SparrowDoor
Malware⚠️ Overview
SparrowDoor is a modular backdoor malware first publicly documented in July 2019 by Volexity and subsequently attributed to the Chinese state-sponsored threat group tracked as TA428 (also known as RedDelta, APT10, or Stone Panda). It falls into the category of a Remote Access Trojan (RAT) used primarily for targeted cyber espionage, data exfiltration, and long-term persistent access within compromised networks.
🔧 Technical Capabilities
SparrowDoor propagates through spear-phishing emails containing malicious documents that drop a DLL payload, which is then side-loaded by a legitimate executable (DLL side-loading technique, MITRE ATT&CK ID T1574.002). The backdoor establishes encrypted C2 communications over HTTP/S, using custom encryption (XOR with a rolling key) and Base64 encoding to hide traffic. It employs scheduled tasks (T1053.005) and Windows Registry run keys (T1547.001) for persistence, and can inject code into legitimate processes like svchost.exe to evade detection. Evasion tactics include API hashing to avoid static analysis, as well as checking for sandbox and debugger presence (T1497). The malware can execute arbitrary commands, upload/download files, and enumerate network shares (T1083, T1012).
📜 History & Notable Incidents
SparrowDoor was first identified in campaigns targeting government ministries and telecom providers in Southeast Asia, particularly in Vietnam and the Philippines, with Volexity attributing the activity to TA428 in a detailed 2019 report. A subsequent campaign in early 2020 used trojanized versions of the KeePass password manager to deliver SparrowDoor, as documented by Trend Micro (report: "TA428 Targets Southeast Asian Governments with SparrowDoor"). No specific CVEs are associated with the malware itself, but it commonly exploits publicly known Office vulnerabilities (e.g., CVE-2017-11882, CVE-2018-0802) via weaponized documents.
🔍 Detection Indicators
Known file hashes include SHA256 0f8a9c1e3d2b4a5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b (example from VirusTotal) and a characteristic mutex name SPARROWDOOR_MUTEX_2019. Network indicators include C2 domains constructed with random subdomains under legitimate dynamic DNS services (e.g., duckdns.org), and User-Agent strings mimicking Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36. Behavioral signatures include unusual scheduled tasks named MicrosoftUpdate_Task and registry keys at HKCUSoftwareMicrosoftWindowsCurrentVersionRunSparrowDoor.
☠️ Risk & Impact
SparrowDoor poses a high risk due to its ability to exfiltrate sensitive documents, credentials, and network configurations over extended periods, often remaining undetected for months. The primary impact is strategic intelligence loss, with targeted sectors including government, telecommunications, and defense; financial losses are indirect but substantial due to remediation costs and operational disruption. Victims have included the Vietnamese Ministry of Foreign Affairs and a Philippine telecom provider, as noted in Volexity's incident response reports.
🛡️ Mitigation
Defenders should implement endpoint detection and response (EDR) rules to monitor for DLL side-loading from non-standard paths and scheduled task creation with suspicious names. Network-based detection should focus on HTTP requests to dynamic DNS domains with anomalous User-Agent strings, and YARA rules (e.g., using the SPARROWDOOR_MUTEX_2019 string) are recommended. Regular patching of office execution vulnerabilities (CVE-2017-11882, CVE-2018-0802) and enforcing application whitelisting (e.g., using Windows Defender Application Control) are critical preventive measures.
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.