Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Nation-State

Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years

A possibly China-linked threat actor uses a custom backdoor in a cyberespionage campaign ongoing since at least 2021.

A non-profit organization in Saudi Arabia has been targeted in a stealthy cyberespionage campaign that remained undetected for two years, Cisco’s Talos security researchers report.

The campaign is characterized by a custom backdoor dubbed Zardoor, modified reverse proxies (such as Fast Reverse Proxy, sSocks, and Venom), and the abuse of legitimate tools for malware delivery, persistence, and command-and-control (C&C) setup.

According to Talos, the use of reverse proxy tools overlaps with the tools, techniques, and procedures (TTPs) associated with several Chinese threat actors, but there is not enough evidence to link the activity to a known group from China.

The campaign was identified in May 2023, but it likely started in March 2021, with the threat actor exfiltrating data from the victim organization, an Islamic charitable non-profit organization, twice a month.

“At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others,” Talos notes.

An HTTP/SSL remote access tool, the Zardoor custom backdoor can exfiltrate data to the C&C, execute payloads in fileless mode, search for session IDs, update its configuration, remove itself, and provides remote shellcode execution.

The threat actor was seen abusing Windows Management Instrumentation (WMI) for lateral movement, and registering modified open source reverse proxy tools as scheduled tasks for persistence.

According to Talos, the attacks have been orchestrated by a highly skilled adversary, based on the use of a custom backdoor and modified tools, and their ability to remain undetected for years.

Advertisement. Scroll to continue reading.

“Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C&C infrastructure used in this campaign,” Talos concludes.

Related: Sandman Cyberespionage Group Linked to China

Related: US Sanctions North Korean Cyberespionage Group Kimsuky

Related: ‘Earth Estries’ Cyberespionage Group Targets Government, Tech Sectors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cyberwarfare

In a campaign called Volt Typhoon, Microsoft says Chinese government hackers were siphoning data from critical infrastructure organizations in Guam, a U.S. territory in...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cyberwarfare

While cyber eyes are trained on Russia, we should remember that it is not the West’s only cyber adversary. China, Iran, and North Korea...