Covert Zardoor Backdoor Targets Saudi Islamic Charities

Stealthy Zardoor Backdoor

An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a covert cyber espionage campaign designed to drop an undocumented backdoor called Zardoor.

Cisco Talos, which discovered the activity in May 2023, said the campaign has likely been ongoing since March 2021, adding that only one compromised target has been identified so far, although it is suspected there could be other victims.

“Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence,” said security researchers Jungsoo An, Wayne Lee and Vanja Svajcer. saidhighlighting the threat actor’s ability to maintain long-term access to victim environments without attracting attention.

The breach of the Islamic charity involved the periodic exfiltration of data, approximately twice a month. The exact initial access vector used to infiltrate the entity is currently unknown.

Stealthy Zardoor backdoor

However, the support gained has been leveraged to drop Zardoor for persistence, followed by establishing C2 connections using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocksAnd Venom.

“Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker’s tools – including Zardoor – by spawning processes on the target system and executing commands received from the C2,” the researchers said.

The as yet undetermined infection path paves the way for a dropper component that in turn deploys a malicious dynamic link library (“oci.dll”) responsible for delivering two backdoor modules, “zar32.dll” and “zor32 “. .dll.”

While the former is the main backdoor element that enables C2 communication, the latter ensures that “zar32.dll” is deployed with administrative rights. Zardoor can exfiltrate data, run remotely retrieved executables and shellcode, update the C2 IP address, and remove itself from the host.

The origins of the threat actors behind the campaign are unclear and there are currently no tactical overlaps with known, publicly reported threat actors. That said, it is rated as the work of an “advanced threat actor.”

#Covert #Zardoor #Backdoor #Targets #Saudi #Islamic #Charities

Notify of
Inline Feedbacks
View all comments
Previous Post
Challenges of Cybersecurity

Navigating the challenges of cybersecurity

Next Post
Critical FortiOS SSL VPN Vulnerability

Fortinet warns of critical FortiOS SSL VPN vulnerability under active exploitation

Related Posts