An Islamic charitable non-profit organization based in Saudi Arabia has been the target of a prolonged cyber-espionage campaign. The campaign began in May 2023 and involved sophisticated tactics employed by an unidentified threat actor.
According to a new advisory by cybersecurity firm Talos, the attackers, whose initial access vector remained undisclosed, used malware dubbed “Zardoor” to establish persistence within the target organization’s network.
To evade detection, they made extensive use of open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom. These tools were customized to minimize dependencies and execute commands seamlessly.
Once inside the network, the threat actor employed Windows Management Instrumentation (WMI) to move laterally and execute commands remotely. They deployed a series of backdoors, including “zar32.dll” and “zor32.dll,” to maintain access and exfiltrate data from the compromised systems.
To ensure persistence, the attackers employed various techniques, including the manipulation of system services and the creation of scheduled tasks. Additionally, they utilized reverse proxies to establish communication with external servers, making it difficult to detect malicious traffic.
The threat actor’s use of tools like FRP and Venom underscores their sophistication, as these are legitimate tools repurposed for malicious activities. Such tactics increase the stealthiness of the attack and complicate efforts to identify and mitigate the threat.
“The threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors, customize open-source proxy tools and leverage several LoLBins including ‘msdtc.exe’ to evade detection,” Talos wrote.
“In particular, side-loading backdoors contained in ‘oci.dll’ via MSDTC is a very effective method of remaining undetected while maintaining long-term access to a victim’s network.”
Despite extensive analysis, Talos was unable to attribute this campaign to any known threat actor. The level of expertise demonstrated by the attackers, coupled with their ability to create and customize tools, suggested the involvement of an advanced and skilled adversary.