A non-profit Islamic charity based in Saudi Arabia has been the target of a prolonged cyberespionage campaign. The campaign began in May 2023 and involved sophisticated tactics employed by an unidentified threat actor.
According to a new advisory from cybersecurity firm Talos, the attackers, whose initial access vector was not disclosed, used malware dubbed “Zardoor” to establish persistence within the target organization’s network .
To evade detection, they widely used open source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom. These tools have been customized to minimize dependencies and execute commands seamlessly.
Once inside the network, the threat actor used Windows Management Instrumentation (WMI) to move laterally and execute commands remotely. They deployed a series of backdoors, including “zar32.dll” and “zor32.dll,” to maintain access and exfiltrate data from compromised systems.
To achieve persistence, attackers used a variety of techniques, including manipulating system services and creating scheduled tasks. Additionally, they used reverse proxies to establish communication with external servers, making it difficult to detect malicious traffic.
Malicious actors’ use of tools like FRP and Venom underscores their sophistication, as these are legitimate tools repurposed for malicious activity. Such tactics increase the stealth of the attack and complicate efforts to identify and mitigate the threat.
“The threat actor appears highly skilled due to their ability to create new tools, such as Zardoor backdoors, customize open source proxy tools, and exploit multiple LoLBins, including ‘msdtc.exe’, to evade the detection,” Talos wrote.
“In particular, sideloading backdoors contained in ‘oci.dll’ via MSDTC is a very effective method of remaining undetected while still retaining long-term access to a victim’s network.”
Despite deep analyze, Talos was unable to attribute this campaign to a known threat actor. The level of expertise demonstrated by the attackers, coupled with their ability to create and customize tools, suggested the involvement of an advanced and skilled adversary.