Islamic Nonprofit Infiltrated for 3 Years With Silent Backdoor

Security researchers recently uncovered a stealthy espionage campaign targeting an Islamic charitable nonprofit organization in Saudi Arabia.

The long-term campaign — apparently active since March 2021 — relies on a previously unreported custom backdoor, dubbed Zardoor, researchers at Cisco Talos reported. The malware exfiltrates data from the victim organization — which Cisco did not identify — approximately twice a month.

The deployment of modified reverse-proxy tools and the ability to evade detection for more than two years means that the assault is likely the work of an "advanced" attacker, the researchers say.

Security researchers have yet to identify any other victims of the Zardoor malware besides the Saudi Arabia-based charity.

APTs Love Reverse Proxies

Zardoor's use of reverse proxy tools matches the tactics of several Chinese advanced persistent threat (APT) groups, according to Cisco Talos, but the "choice of the compromised target does not align with the known objectives" of Chinese espionage groups.

APT groups using reverse proxy tools is "relatively common," overall, says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest Threat Research.

Russia's APT29, the Chinese-backed Volt Typhoon group, North Korea's Lazarus group, and various Iranian state-sponsored groups, including Phosphorus, are among the roster of nation-state groups that employ reverse proxy tools.

Reverse proxies are normally used as load balancers in complex system and application architectures. However, malicious actors abuse the technology to set up communications with otherwise unreachable systems such as RDP servers, domain controllers, files, or database servers on compromised networks.

"Reverse proxies function by allowing covert communications channels to be established between internal systems on a compromised network and external servers controlled by an adversarial group," says Christoph Cemper, founder and CEO of AIPRM.

"At a technical level, this is accomplished by the adversary deploying both a reverse proxy client component within the target environment and a corresponding server interface that they control remotely," he adds. "Network traffic is then redirected through this multipart bidirectional tunnel in a manner that obscures the ultimate source and destination."

Cemper explains that adversaries frequently take steps to disguise these proxy-facilitated connections as normal Web or Internet activity, such as routing communications over ports associated with common protocols like HTTPS and embedding the redirects within legitimate domain names or IP addresses.

"The incorporation of widely supported standards like TLS encryption also shields the content and parameters of transmitted data from routine inspection or detection," he says.

Thwarting the Threat

According to Cisco Talos' technical blog post, the Zardoor campaign began with an as-yet-unknown attack vector.

The attackers subsequently set up a command and control mechanism for the attack using open source reverse proxy tools such as Fast Reverse Proxy (FRP), a customized version of the Socks Linux server and Venom, a penetration-testing tool for running security audits.

Once a foothold into the victim's network was established, the attackers used Windows Management Instrumentation (WMI) for lateral movement and planting the Zardoor malware.

Zardoor establishes a persistent backdoor that communicates with the attackers' command-and-control (C2) setup, allowing them to issue commands, such as to deploy updated malware packages or exfiltrate data. The malware is programmed to grab encrypted data and upload it to the attackers' C2 infrastructure.

"Zar32.dll" is a malicious library and one of the main components of Zardoor. It is an HTTP/SSL remote access tool (RAT) designed to piggyback on legitimate network applications, and operates through a Socks or HTTPS proxy. The malware abuses IP addresses used by CloudFlare DNS services.

Cisco has added detection for the Zardoor malware to its enterprise security tools and published indications of compromise, moves that will likely spur the rest of the vendor community to add similar detection and response capabilities.

"Even enterprises using security products other than Cisco's have options to improve their resilience," says AIPRM's Cemper. "Specifically, security teams should follow standard protocols for addressing new malware threats identified in the wild: Review the indicators of compromise published by threat researchers and check systems and network activity logs for any traces suggesting infection."

In addition, he advises, ensure that anti-malware and intrusion detection products are armed with updated signatures for the malware.

Cisco Talos recommends employing a defense-in-depth security posture to defend against similar threats. "Unfortunately, as we know it all too well, there is no 100% effective protection against persistent and advanced adversaries, and users need to be able to detect the attack if it successfully evades the protection layers," a Cisco spokesperson said.