By Jungsoo An, Wayne Lee and Vanja Svajcer.
Cisco Talos discovered a new, stealthy espionage campaign that has likely persisted since at least March 2021. The observed activity affects an Islamic non-profit organization using backdoors for a previously unreported malware family we have named “Zardoor.” We believe an advanced threat actor is carrying out this attack, based on the deployment of the custom backdoor Zardoor, the use of modified reverse proxy tools, and the ability to evade detection for several years. Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command and control (C2), and maintain persistence. At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others.Based on Talos’ and third-party research, the use of reverse proxy tools overlaps with TTPs employed by several threat groups originating from China. Still, we can assess the relations of the new threat actor with the existing groups only with low confidence, as open-source tools can be used by any threat actor. The choice of the compromised target does not align with the known objectives of any known threat actors originating from China.Talos discovered an ongoing espionage campaign in May 2023 targeting an Islamic charitable non-profit organization in Saudi Arabia that exfiltrates data approximately twice a month.
The initial access vector is unknown, however, we observed the threat actor executing a malware we are calling the “Zardoor” backdoor to gain persistence. Then we observed the threat actor establishing C2 using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom, a reverse proxy socks5 server-client tool originally developed for penetration testers.
The ..
Support the originator by clicking the read the rest link below.
