Home / malwarePDF  


First posted on 11 November 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:Win32/Wingbird.A!dha.

Explanation :


This threat is deployed through spear-phishing emails. The emails contain a malicious Microsoft Word document with an Adobe Flash exploit (a zero-day exploit at the time this threat was initially discovered). When opened, the document contacts a remote server to obtain other components and trigger other activities before delivering the actual backdoor payload.

This threat is known to contact the following URL for information:



Injects code to system processes to install a backdoor

The initial Wingbird infection comes from a 32-bit executable file that drops the secondary payload, which is a 64-bit executable file. The secondary payload performs code injection into the following system processes:

  • winlogon.exe
  • services.exe

It creates the folder "\ProgramData\AuditService\" and copies the clean file "lsass.exe" (taken from "\Windows\System32\") into the folder. It also drops a malicious file, "sspisrv.dll", into the folder.

The tainted "services.exe" installs "\ProgramData\AuditService\lsass.exe" as an autostart Windows service named "Audit Service".

When the new "lsass.exe" service autostarts, the malicious file "sspisrv.dll" sideloads in the same folder.

"lsass.exe" will eventually crash because of a failure to load other dependencies. By the time of the crash, "sspisrv.dll" will already have injected malicious code into the system process "svchost.exe". The injected code is located at the entry point of the DLL and therefore gets executed as soon as the DLL loads.

The injected code, which has typical backdoor capabilities, now resides in the tainted "svchost.exe".

Analysis by Mathieu Letourneau and Andrea Lelli

Last update 11 November 2017