A non-profit organization in Saudi Arabia has been targeted in a stealthy cyberespionage campaign that remained undetected for two years, Cisco’s Talos security researchers report.
The campaign is characterized by a custom backdoor dubbed Zardoor, modified reverse proxies (such as Fast Reverse Proxy, sSocks, and Venom), and the abuse of legitimate tools for malware delivery, persistence, and command-and-control (C&C) setup.
According to Talos, the use of reverse proxy tools overlaps with the tools, techniques, and procedures (TTPs) associated with several Chinese threat actors, but there is not enough evidence to link the activity to a known group from China.
The campaign was identified in May 2023, but it likely started in March 2021, with the threat actor exfiltrating data from the victim organization, an Islamic charitable non-profit organization, twice a month.
“At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others,” Talos notes.
An HTTP/SSL remote access tool, the Zardoor custom backdoor can exfiltrate data to the C&C, execute payloads in fileless mode, search for session IDs, update its configuration, remove itself, and provides remote shellcode execution.
The threat actor was seen abusing Windows Management Instrumentation (WMI) for lateral movement, and registering modified open source reverse proxy tools as scheduled tasks for persistence.
According to Talos, the attacks have been orchestrated by a highly skilled adversary, based on the use of a custom backdoor and modified tools, and their ability to remain undetected for years.
“Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C&C infrastructure used in this campaign,” Talos concludes.