Security researchers recently uncovered a stealthy spy campaign targeting a non-profit Islamic charity in Saudi Arabia.
The long-term campaign – apparently active since March 2021 – is based on a previously unreported custom backdoor called Zardoor, Cisco Talos researchers reported. The malware extracts data from the victim organization, which Cisco has not identified, about twice a month.
The implementation of modified reverse proxy tools and the ability to evade detection for more than two years means the assault is likely the work of an “advanced” attacker, researchers say.
Security researchers have yet to identify other victims of the Zarddoor malware besides the Saudi Arabia-based charity.
APTs love reverse proxies
Zarddoor’s use of reverse proxy tools matches the tactics of many Chinese Advanced Persistent Threat (APT) groups.according to Cisco Talos, but the “choice of the compromised target is not in line with the known targets” of Chinese spy groups.
APT groups using reverse proxy tools are “relatively common,” overall, says Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest Threat Research.
The Russian APT29, supported by China Volt Typhoon group, that of North Korea Lazarus Groupand various Iranian state-sponsored groups, including Phosphorus, are among the nation-state groups using reverse proxy tools.
Reverse proxies are typically used as load balancers in complex system and application architectures. However, malicious actors abuse the technology to establish communications with otherwise unreachable systems such as RDP servers, domain controllers, file, or database servers on compromised networks.
“Reverse proxies work by allowing you to establish secret communication channels between internal systems on a compromised network and external servers controlled by an adversary group,” says Christoph Cemper, founder and CEO of AIPRM.
“On a technical level, this is achieved by the adversary deploying both a reverse proxy client component within the target environment and a corresponding server interface that it controls remotely,” he adds. “Network traffic is then rerouted through this multi-part bidirectional tunnel in a way that obscures the source and final destination.”
Cemper explains that hackers often take steps to disguise these proxy-facilitated connections as normal Web or Internet activity, for example by routing communications over ports associated with common protocols like HTTPS and embedding redirects within legitimate domain names or IP addresses .
“The incorporation of widely supported standards such as TLS encryption it also protects the content and parameters of data transmitted from routine inspections or detections,” he says.
Counter the threat
According to Cisco Talos technical blog postthe Zardoor campaign began with a yet unknown attack vector.
The attackers subsequently created a command and control mechanism for the attack using open source reverse proxy tools such as Fast Reverse Proxy (FRP), a customized version of the Calze Linux server, and Venom, a penetration testing tool for execution of security checks.
Once they established a foothold in the victim’s network, the attackers used Windows Management Instrumentation (WMI) to move laterally and install the Zardoor malware.
Zardoor establishes a persistent backdoor that communicates with attackers’ command and control (C2) setup, allowing them to issue commands, for example to deploy updated malware packages or exfiltrate data. The malware is programmed to capture encrypted data and upload it to the attackers’ C2 infrastructure.
“Zar32.dll” is a malicious library and one of the main components of Zarddoor. It is an HTTP/SSL remote access tool (RAT) designed to be used on legitimate network applications and works through a SOCKS or HTTPS proxy. The malware abuses IP addresses used by CloudFlare DNS services.
Cisco has added Zardoor malware detection to its enterprise security tools and published indications of compromise, moves that will likely push the rest of the vendor community to add similar detection and response capabilities.
“Even companies using security products other than Cisco’s have options to improve their resiliency,” says AIPRM’s Cemper. “In particular, security teams should follow standard protocols to address new malware threats identified in the wild: review indicators of compromise published by threat researchers and check systems and network activity logs for any traces that suggest an infection .”
It also recommends making sure your anti-malware and intrusion detection products have updated malware signatures.
Cisco Talos recommends taking a defense-in-depth security approach to defend against similar threats. “Unfortunately, as we know all too well, there is no 100% effective protection against persistent and advanced adversaries, and users must be able to detect the attack if it manages to evade layers of protection,” a spokesperson said by Cisco.