Suspicious Zardoor Backdoor Aims Targeting Saudi Islamic Charities

An undisclosed Islamic non-profit organization located in Saudi Arabia has been the subject of a covert cyber espionage operation aimed at releasing a backdoor known as Zardoor that was not before published.

The campaign has probably been ongoing since at least March 2021, according to Cisco Talos, which spotted the activity in May 2023. It has only identified one compromised target to date, but it is believed that there may be more victims.

Security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer noted that the threat actor's capacity to sustain long-term access to victim environments covertly was highlighted. "Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish Command-and-Control (C2), and maintain persistence," the researchers wrote.

The cyberattack directed towards the Islamic nonprofit organization included data leaks that occurred about every 2 months. It is currently unknown exactly which initial access vector was used to compromise the entity.

But after gaining a foothold, the strategy was to drop Zardoor for persistence and then use open-source reverse proxy tools like sSocks, Venom, and Fast Reverse Proxy (FRP) to make C2 connections.

"Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2," the investigators reported.

The infection pathway, which is still unknown, creates the conditions for a dropper component to release a malicious dynamic-link library ("oci.dll"), which in turn releases two backdoor modules, "zar32.dll" and "zor32.dll."

The latter makes sure that "zar32.dll" has been installed with administrator rights, whilst the former is the main backdoor component that makes it possible for C2 connections. Zardoor may update the C2 IP address, run shellcode and remotely fetched executables, extract data, and remove itself from the host.

The campaign's threat actor is unknown in origin, and as of right now, there are no tactical similarities with any threat actor that is now publicly acknowledged. Nevertheless, the assessment is that it was created by an "advanced threat actor."


Latest Updates