Cisco’s Talos security researchers have uncovered a sophisticated cyberespionage campaign that remained undetected for two years, targeting a non-profit organization in Saudi Arabia. The stealthy operation, employing a custom backdoor known as Zardoor, involved the use of modified reverse proxies such as Fast Reverse Proxy, sSocks, and Venom, alongside the manipulation of legitimate tools for malware delivery and command-and-control (C&C) infrastructure. Although the campaign was identified in May 2023, evidence suggests it commenced in March 2021, with the threat actor exfiltrating data from the Islamic charitable non-profit organization twice a month.
The Zardoor custom backdoor functions as an HTTP/SSL remote access tool, allowing data exfiltration to the C&C, fileless payload execution, session ID search, configuration updates, self-removal, and remote shellcode execution. The threat actor demonstrated a high level of sophistication by abusing Windows Management Instrumentation (WMI) for lateral movement and employing scheduled tasks to register modified open source reverse proxy tools for persistence. Talos notes that the campaign’s attribution is challenging as there is no overlap between observed tools and the C&C infrastructure used, suggesting the involvement of an unknown and advanced threat actor.
Reference:
