An Islamic charitable non-profit organization in Saudi Arabia has fallen victim to a cyber-espionage operation that has been ongoing since May 2023. The attackers, whose identity remains unknown, employed sophisticated tactics to gain access to the organization’s network.
According to a recent advisory released by cybersecurity firm Talos, the threat actors used a malware called “Zardoor” to establish persistence within the organization’s network. To avoid detection, they utilized open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom, which were customized to minimize dependencies and seamlessly execute commands.
Once inside the network, the attackers used Windows Management Instrumentation (WMI) to move laterally and remotely execute commands. They deployed backdoors such as “zar32.dll” and “zor32.dll” to maintain access and steal data from compromised systems. To ensure their continued presence within the network, the threat actors manipulated system services, created scheduled tasks, and utilized reverse proxies to establish communication with external servers, making it difficult to detect malicious traffic.
The use of tools like FRP and Venom highlights the sophistication of the attackers, as these are legitimate tools repurposed for malicious activities, making it more challenging to identify and mitigate the threat.
Talos commented on the high level of skill demonstrated by the threat actors in creating new tooling such as the Zardoor backdoors, customizing open-source proxy tools, and leveraging several Living off the Land Binaries (LoLBins) to evade detection. The use of techniques such as side-loading backdoors contained in “oci.dll” via MSDTC was especially noted as an effective method of remaining undetected while maintaining long-term access to the victim’s network.
Despite extensive analysis, Talos was unable to attribute this cyber-espionage campaign to any known threat actor. The level of expertise demonstrated by the attackers, along with their ability to create and customize tools, indicated the involvement of an advanced and skilled adversary.
The targeted Islamic charitable non-profit organization based in Saudi Arabia has been the subject of a relentless cyber-espionage campaign that began in May 2023. The aggressors’ identity has remained unknown. They used malware known as “Zardoor” to infiltrate the organization’s network and established persistence. To avoid detection, they made use of open-source reverse proxy tools such as FRP, sSocks, and Venom, customized to execute commands seamlessly.
Once inside the network, the attackers employed Windows Management Instrumentation (WMI) to move laterally and execute commands remotely. They deployed backdoors such as “zar32.dll” and “zor32.dll” to maintain access and exfiltrate data. To ensure their presence, they manipulated system services, created scheduled tasks, and utilized reverse proxies to establish communication with external servers.
The use of tools like FRP and Venom demonstrated the attackers’ sophistication, complicating efforts to identify and mitigate the threat.
Talos commented on the high level of skill demonstrated by the attackers in creating new tooling, customizing open-source proxy tools, and leveraging several LoLBins to evade detection. Talos was unable to attribute this campaign to any known threat actor despite extensive analysis, indicating the involvement of an advanced and skilled adversary.
In conclusion, the cyber-espionage campaign against the Islamic charitable non-profit organization in Saudi Arabia has showcased the sophistication and skill of the threat actors involved. Their ability to create and customize tools, evade detection, and maintain access within the network has presented a significant challenge to cybersecurity experts. The complex nature of the attack underscores the need for continued vigilance and advanced cybersecurity measures to defend against such threats in the future.