Last year, the UK’s National Cyber Security Center (NCSC) found a variant of the spy malware SparrowDoor on an undisclosed UK network. An analysis of the variant was published today, which can now steal data from the clipboard, among other things. In addition, indicators of compromise and Yara rules have been made available that allow organizations to detect the malware within their own network.
The first version of SparrowDoor was discovered by antivirus company ESET and is said to have been used against hotels worldwide, as well as against governments. The attackers used vulnerabilities in Microsoft Exchange, Microsoft SharePoint and Oracle Opera to break into organizations. Affected organizations were in Canada, Israel, France, Saudi Arabia, Taiwan, Thailand and the United Kingdom, among others. ESET did not disclose the exact target of the attackers.
The British NCSC says it found a variant of SparrowDoor on a British network last year. This version can steal data from the clipboard and checks against a hardcoded list whether certain antivirus software is running. This variant can also imitate the user account token when setting up network connections. It is likely that this “downgrade” is done to be inconspicuous, which it could if it were performing network communications under the SYSTEM account, for example.
Another new feature is the hijacking of various Windows API functions. It is not clear when the malware uses “API hooking” and “token impersonation”, but according to the British NCSC, the attackers are making conscious operational security decisions. Further details about the attacked network or who is behind the malware are not given.