“Zardoor” Backdoor Spied on Non-Profit for Years

The Cisco Talos research team uncovered a vast espionage campaign targeted at a non-profit charitable organization in Saudi Arabia. Commencing in March 2021, the campaign employed a previously unknown custom backdoor named Zardoor, which facilitated bi-monthly data exfiltration from the systems of the compromised organization, which Cisco opted not to disclose.

A notable aspect of the attack is the use of modified reverse proxy tools and the ability to remain undetected for nearly three years, demonstrating the attackers’ high level of sophistication.

Cisco Talos specialists noted the characteristic use of a reverse proxy server by certain hacker groups from China, raising questions about Beijing’s involvement in the operation, though the attack’s target does not align with the interests of Chinese cyber espionage groups. However, the use of reverse proxies is also a common practice among groups from other countries, making the technology a popular tool for securing covert access to protected networks (RDP, domain controllers, database servers, etc.) and transferring data through encrypted channels.

The attack vector of Zardoor remains unknown. The perpetrators devised a command and control mechanism for the attack, utilizing the open-source tool Fast Reverse Proxy (FRP), a configured version of the Socks Linux server and Venom, along with a penetration testing tool for conducting security audits.

After establishing a foothold in the victim’s network, the cybercriminals employed Windows Management Instrumentation (WMI) for lateral movement and the deployment of Zardoor.

The Zardoor malware establishes a persistent backdoor, allowing attackers to execute commands such as updating malicious code or exfiltrating data through a specially designed module, Zar32.dll. The component, operating via Socks or HTTPS proxies, is disguised as legitimate network applications and uses IP addresses employed by CloudFlare DNS services.

Cisco has integrated the detection of Zardoor malware into its enterprise security tools and published indicators of compromise, likely encouraging the rest of the security community to add similar detection and response capabilities.

To enhance security even when using products from other manufacturers, experts advise following standard threat response procedures, examining systems and network activity logs for signs of infection, and ensuring that antivirus and intrusion detection systems are updated with the latest malware signatures.