Rewterz Threat Alert – Sophisticated Cyber Espionage Campaign Used Zardoor Backdoor to Target Islamic Charity in Saudi Arabia – Active IOCs

Severity

High

Analysis Summary

A Saudi Arabian Islamic charitable non-profit organization has been recently discovered to be the target of a long-term cyber espionage campaign that started in May 2023 and leveraged advanced tactics by an unknown attacker.

Cybersecurity researchers observed that the threat actors used a malware named “Zardoor” to gain persistence in the targeted organization’s network. The initial access vector, however, remains unknown. For detection evasion, the attackers actively utilized open-source reverse proxy tools like sSocks, Fast Reverse Proxy (FRP), and Venom.

Most of these tools were also customized by the threat actor to execute commands seamlessly and establish a connection with a command-and-control (C2) server. The attacker used the customized sSocks to remove dependencies on Visual C Runtime libraries, making sure the tools would only rely on WinAPI libraries so they are capable of being executed without any unexpected runtime errors.

After compromising the network, the threat actor employed Windows Management Instrumentation (WMI) to move laterally and perform remote command execution using the attacker’s tools such as Zardoor. To maintain access to the compromised systems and exfiltrate data, they deployed a series of backdoors like “zor32.dll” and “zar32.dll”.

The threat actors used many different techniques to ensure persistence, such as manipulating the system services and creating scheduled tasks. They also leveraged reverse proxies for establishing communication with actor-controlled servers, which makes it a challenge to detect malicious traffic. A file sample for the dropper used in this campaign could not be obtained, but other available samples were analyzed that included an execution sequence and filenames similar to the malicious activity, showing a relation to the observed attack.

The use of tools like Venom and FRP by the attacker shows their sophistication since these tools are legitimate and were customized to be used for malicious activities. These kinds of advanced tactics help increase the stealthiness of the attack and make it difficult to identify and mitigate the threat. The attackers seem to possess a high level of skills to be able to create new tools like the Zardoor backdoor, customize open-source proxy tools, and utilize multiple LoLBins like “msdtc.exe” for flying under the radar.

Side-loading backdoors that were found in “oci.dll” through MSDTC prove to be a highly effective method for evading detection from security software and allow the threat actors to maintain prolonged access to the victim’s network. Despite the extensive analysis, however, the researcher team was unable to link this campaign to a previously known threat actor. The sophistication shown by the threat actors along with their ability to create and customize tools points to the involvement of a skilled and advanced adversary.

Impact

• Cyber Espionage
• Data Exfiltration
• Unauthorized Access

Indicators of Compromise

MD5

• dffa48f29a363071d47fffd114545009
• 27e96e13a0a538aad23540d52977012f
• 72b0ca267df69ce8c86440a81cd2f321
• 23f6b621c70024749217614680a2d2b2
• e0f4afe374d75608d604fbf108eac64f
• 07c47f9b80c3861f219078902b860077
• 82fce2c2a557e1580c82c9c7e15a8c79
• 3a326ef320df0d7f111f3a0b27caf238
• 91a533644f0a1440c82572b563d9eed9
• dd5694d0797e22f521faeb6026eddaa8

SHA-256

• f71f7c68209ea8218463df397e5c39ef5f916f138dc001feb3a60ef585bd2ac2
• c6419df4bbda5b75ea4a0b8e8acd2100b149443584390c91a218e7735561ef74
• 73c7459e0c3ba00c0566f7baa710dd8b88ef3cf75ee0e76d36c5d8cd73083095
• 29741f7987ab61b85adb310a7ab2f44405822f1719fa431c8f49007b64f6f5cd
• 7905bd9bb4d277a81935a22f975a0030faa9e5c9dbb9f6152c2f56ba1cd0cdea
• a99a9f2853ff0ca5b91767096c7f7e977b43e62dd93bde6d79e3407bc01f661d
• 0058d495254bf3760b30b5950d646f9a38506cef8f297c49c3b73c208ab723bf
• d267e2a6311fe4e2dfd0237652223add300b9a5233b555e131325a2612e1d7ef
• 3adcc81446f0e8ed1a2bc1e815613eb5622afba57941d651faa2b5bc4b2f13c1
• 5655a2981fa4821fe09c997c84839c16d582d65243c782f45e14c96a977c594e

SHA-1

• 3f1e048a7feb76e209ac2a03106c45cdb6b67fef
• 2e068c72137073cb250bf021eb502516e5e7b86b
• 0259e9016461edd6bf1c8e99e9b4646df3b02c05
• 97f4a1d182b812f94b432ce4a22c6f8d12d8a823
• 3e79a2e6747adcd898f146b29dd5d30b6bb08222
• 22441cff10885cfb1a2b9eeeb0de088ec77f70d3
• 686c4c99d4766ae242b22d5275900750275d856d
• 0938360274a6511e2c92cdd96a5f065febb9af8e
• 91eddbe83c121b41ce2675fefb51d68afe202455
• 179a161d33a2b9d37a0cffe6d51c673c554a0f68

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Be vigilant when downloading software and double-check the URL to see if it is legitimate.
• Never download software from untrusted sources.
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Develop and regularly update an incident response plan that outlines the steps to take in case of a security breach. Test the plan through simulations to ensure its effectiveness.