Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organization
An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called Zardoor.
Cisco Talos, which discovered the activity in May 2023, said the campaign has likely persisted since at least March 2021, adding it has identified only one compromised target to date, although it’s suspected that there could be other victims.
“Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence,” security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer said, calling out the threat actor’s ability to maintain long-term access to victim environments without attracting attention.
The intrusion targeting the Islamic charitable organization involved the periodic exfiltration of data roughly twice a month. The exact initial access vector used to infiltrate the entity is currently unknown.
The foothold obtained, however, has been leveraged to drop Zardoor for persistence, followed by establishing C2 connections using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom.
“Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker’s tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2,” the researchers said.
The as-yet-undetermined infection pathway paves the way for a dropper component that, in turn, deploys a malicious dynamic-link library (“oci.dll”) that’s responsible for delivering two backdoor modules, “zar32.dll” and “zor32.dll.”
While the former is the core backdoor element that facilitates C2 communications, the latter ensures that “zar32.dll” has been deployed with administrator privileges. Zardoor is capable of exfiltrating data, executing remotely fetched executables and shellcode, updating the C2 IP address, and deleting itself from the host.
The origins of the threat actor behind the campaign are unclear, and it does not share any tactical overlaps with a known, publicly reported threat actor at this time. That said, it’s assessed to be the work of an “advanced threat actor.”