Stealthy Cyberespionage Campaign Remained Undiscovered for Two Years

Share This Post

A non-profit organization in Saudi Arabia has been targeted in a stealthy cyberespionage campaign that remained undetected for two years, Cisco’s Talos security researchers report.

The campaign is characterized by a custom backdoor dubbed Zardoor, modified reverse proxies (such as Fast Reverse Proxy, sSocks, and Venom), and the abuse of legitimate tools for malware delivery, persistence, and command-and-control (C&C) setup.

According to Talos, the use of reverse proxy tools overlaps with the tools, techniques, and procedures (TTPs) associated with several Chinese threat actors, but there is not enough evidence to link the activity to a known group from China.

The campaign was identified in May 2023, but it likely started in March 2021, with the threat actor exfiltrating data from the victim organization, an Islamic charitable non-profit organization, twice a month.

“At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others,” Talos notes.

An HTTP/SSL remote access tool, the Zardoor custom backdoor can exfiltrate data to the C&C, execute payloads in fileless mode, search for session IDs, update its configuration, remove itself, and provides remote shellcode execution.

The threat actor was seen abusing Windows Management Instrumentation (WMI) for lateral movement, and registering modified open source reverse proxy tools as scheduled tasks for persistence.

According to Talos, the attacks have been orchestrated by a highly skilled adversary, based on the use of a custom backdoor and modified tools, and their ability to remain undetected for years.

Advertisement. Scroll to continue reading.

“Talos assesses this campaign was conducted by an unknown and advanced threat actor. We have not been able to attribute this activity to any known, publicly reported threat actor at this time, as we have not found any overlap between the observed tools or C&C infrastructure used in this campaign,” Talos concludes.

Related: Sandman Cyberespionage Group Linked to China

Related: US Sanctions North Korean Cyberespionage Group Kimsuky

Related: ‘Earth Estries’ Cyberespionage Group Targets Government, Tech Sectors

This post was originally published on this site

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.