Malware analysis report on SparrowDoor malware
Summary
The NCSC provides a technical analysis of a SparrowDoor malware variant discovered on a UK network in 2021. This variant extends the previously reported sample (ESET, Sept 2021) with additional capabilities. SparrowDoor acts as a persistent loader and backdoor, using XOR encoding for its command-and-control channel beneath HTTPS. New functionality observed includes clipboard logging, anti‑virus detection, inline hooking of Windows API functions and token impersonation. The NCSC publish IOCs, STIX, Sigma, YARA and detection artefacts alongside the report.
Key Points
- SparrowDoor is a persistent loader and backdoor observed on a UK network in 2021.
- The malware hides its C2 traffic by XOR encoding data beneath HTTPS connections.
- New features include clipboard logging, AV detection, inline API hooking and token impersonation.
- NCSC provides downloadable artefacts: PDF report, CSV indicators, Sigma rules, STIX2.1 and YARA signatures.
- The report is aimed at incident responders and security teams for detection and mitigation.
Content summary
The report analyses a SparrowDoor variant that builds on a sample first reported by ESET in September 2021. Behavioural and static analysis detail persistence mechanisms, network communication obfuscation (XOR under HTTPS), and additional tooling used by the threat actor such as clipboard capture and runtime API hooking. The NCSC bundles indicators of compromise and machine-readable artefacts (STIX, Sigma, YARA) to help defenders implement detections and response actions.
Downloads provided include a full PDF analysis, a CSV of IOCs, Sigma detection rules, a STIX2.1 collection for threat intel platforms and YARA rules for file detection.
Context and relevance
This report is relevant to security operations, threat intelligence and incident response teams. SparrowDoor demonstrates an ongoing trend of loaders/backdoors becoming more stealthy and multifunctional — combining obfuscated C2, credential/token misuse and local reconnaissance (clipboard logging). The supplied detection artefacts make it easier to hunt for this variant within corporate environments and to update protections. Organisations should ensure detection pipelines ingest the provided Sigma/STIX/YARA artefacts and review privilege and token usage monitoring.
Why should I read this?
If you look after security for a network (or even just want to sleep better at night), this one’s worth a skim. It’s a compact, practical pack: analysis plus ready-to-use IOCs and detection rules — so you don’t need to reverse engineer it yourself. Quick win for anyone wanting to harden detection against stealthy loaders and backdoors.