TLDR:

An Islamic charitable non-profit organization in Saudi Arabia has been targeted by a sophisticated cyber-espionage campaign. The campaign began in May 2023 and involved the use of malware called “Zardoor” and open-source reverse proxy tools. The attackers used Windows Management Instrumentation (WMI) to move laterally and executed commands remotely. They also utilized various techniques, such as the manipulation of system services and the creation of scheduled tasks, to maintain persistence and establish communication with external servers. The attackers’ use of legitimate tools repurposed for malicious activities highlights their sophistication. Despite extensive analysis, the campaign could not be attributed to any known threat actor.

According to a new advisory by cybersecurity firm Talos, the attackers used malware called “Zardoor” to establish persistence within the target organization’s network. Open-source reverse proxy tools were customized to minimize dependencies and execute commands seamlessly. The attackers employed Windows Management Instrumentation (WMI) to move laterally and execute commands remotely. Various backdoors were deployed to maintain access and exfiltrate data from compromised systems. Techniques such as the manipulation of system services and the creation of scheduled tasks were used to ensure persistence and establish communication with external servers.

The attackers’ use of tools like FRP and Venom highlights their sophistication, as these are legitimate tools repurposed for malicious activities. Such tactics increase the stealthiness of the attack and complicate efforts to identify and mitigate the threat. Talos noted that the level of expertise demonstrated by the attackers, coupled with their ability to create and customize tools, suggests the involvement of an advanced and skilled adversary. Despite extensive analysis, Talos was unable to attribute the campaign to any known threat actor.