In a rather unsettling development, cybersecurity experts have brought to light a hitherto under-the-radar cyber espionage operation that has been systematically targeting an Islamic charitable nonprofit organization based in Saudi Arabia. As per the findings by researchers at Cisco Talos, this prolonged and surreptitious campaign, which appears to have been in operation since March 2021, is said to hinge on a newly uncovered custom backdoor, labeled Zardoor. Alarming as that may be, this malware is designed to covertly siphon off data from the victim organization, an outfit that Cisco has chosen to keep anonymous, and it does so approximately twice a month.
Now, what is especially disconcerting about this particular assault is the fact that it has managed to elude detection for over two years, and, as a result, there is a strong suspicion that this attack is the handiwork of a highly sophisticated and “advanced” aggressor. Furthermore, the unmasking of the Zardoor campaign has brought to the fore a number of questions and concerns regarding the extent and gravity of the breach, given that to date, no other targets of the Zardoor malware beyond the charity in Saudi Arabia have been identified.
The use of modified reverse-proxy tools and the ability to sidestep detection for such an extensive period of time, together with the nature of the victim organization, point toward an adversary that falls within the category of “advanced persistent threat,” as espoused by industry experts at Cisco Talos.
It is noteworthy to highlight that Zardoor’s recourse to these reverse proxy tools is emblematic of the methods that have been employed by several Chinese advanced persistent threat (APT) groups. However, the choice of the compromised target does not seem to align with the known objectives of these Chinese espionage groups, thereby adding a layer of complexity to this already peculiar set of circumstances.
APT groups using reverse proxy tools, as Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest Threat Research explains, is a practice that is, on the whole, relatively common. A quick glimpse into history reveals that Russia’s APT29, the Chinese-backed Volt Typhoon group, North Korea’s Lazarus group, and various Iranian state-sponsored groups are among the roster of nation-state groups that have by and large employed reverse proxy tools.
As things stand, the primary function of reverse proxies is to serve as load balancers in intricate system and application architectures. However, malicious actors cleverly manipulate this technology to establish communication channels with otherwise hard-to-reach systems such as RDP servers, domain controllers, and file or database servers within compromised networks.
By virtually redirecting network traffic through bidirectional tunnels, adversaries take advantage of the covert capabilities of reverse proxies to pass off their communications as normal web or internet activity — a tactic that has greatly contributed to their success in evading detection for such a protracted period of time.
To put it simply, the phenomenon has given rise to a situation where networks traffic is concealed through the incorporation of widely supported standards such as TLS encryption, which comes together to effectively shield transmitted from routine inspection or detection.
The challenge for experts in the field now lies in devising ways to thwart this threat. It has been reported that a technical blog post by Cisco Talos has indicated that the Zardoor campaign began using a presently unspecified attack vector, before going on to set up a command and control mechanism for the attack using open source reverse proxy tools such as Fast Reverse Proxy (FRP), a customized version of the Socks Linux server, and Venom. Once they had successfully infiltrated the victim’s network, the attackers used Windows Management Instrumentation (WMI) for lateral movement and implanting the Zardoor malware.
It is worth mentioning that Zardoor has been identified as a persistent backdoor that freely communicates with the attackers’ command-and-control (C2) setup, thereby enabling them to issue diktats, such as deploying updated malware packages or exfiltrating data. In particular, the malware is designed to snaffle encrypted data and then upload it to the attackers’ C2 infrastructure.
Further inspection reveals that the so-called “Zar32.dll” is a key component of the Zardoor, functioning as an HTTP/SSL remote access tool (RAT) that exploits Socks or HTTPS proxy. The malware has also been found to leverage IP addresses associated with CloudFlare DNS services.
Cisco 
For more security, teams are encouraged to stay abreast of standard protocols for addressing new malware threats identified in the wild, and review the published indicators of compromise. Furthermore, it has been suggested that enterprises ensure that their anti-malware and intrusion detection products are armed with updated signatures for the malware, a move that is seen to notably improve their resilience to such threats.
In an effort to curb the spread of the malicious software, Cisco has implemented detection for the Zardoor malware into its enterprise security tools and disseminated indications of compromise. It is expected that other players in the vendor community will follow suit and roll out similar detection and response capabilities moving forward.