Cisco Talos discovers sophisticated ‘Zardoor’ malware

Like that one employee who surprises everyone at the holiday party, some malware found by Cisco Talos researchers had been working undetected since 2021.

The backdoor, known as “Zardoor,” used stealthy tactics, including trusted processes like Windows Management Instrumentation (WMI) and modified pen-testing tools like reverse proxies.

Though the researchers found just one Zardoor victim, according to the report, more instances are possible.

“At this time, we have only discovered one compromised target, however, the threat actor’s ability to maintain long-term access to the victim’s network without discovery suggests there could be others,” the February post read.

Talos found the ongoing espionage campaign in May of last year, “targeting an Islamic charitable nonprofit organization in Saudi Arabia that exfiltrates data approximately twice a month.”

The initial access vector is unknown, according to the team.

To stay hidden, the adversaries used a variety of deceptive tactics, the report said:

• Reverse proxies. Persistent reverse proxies, a bit like secret tunnels, provide concealment for the attackers. If a forward proxy establishes a private connection from a machine to the internet, a reverse proxy establishes one from the internet to the machines.
• Command and control. With open-source reverse proxy tools, the threat actors established a “C2,” or command and control, server, allowing attackers to issue instructions to the Zardoor malware.
• LOLBins. Not a text from someone laughing at the Container Store, LOLBins, or living-off-the-land binaries, refer to an OS’s pre-installed services, trusted tools that already arrive approved. (In this case, according to the Talos report, the threat actor used trusted WMI to send commands and spread the Zardoor tool.)
• Name changes. The attacker deleted a legitimate scheduled task (“KasperskySecurity” or “Microsoft Security Essentials”) and created a new, malicious one disguising its proxy.

“What’s most notable in this particular attack is that we discovered a new, previously unknown backdoor, which cannot be classified as something that's a commodity-type backdoor,” Vanja Svajcer, threat researcher for Cisco Talos and one of the writers of the February report, told IT Brew.

Such modification reveals sophistication beyond the everyday tools used by cybercriminals, according to Victor Acin, head of threat-intelligence operations at the cybersecurity company Outpost24.

“Being able to basically create or modify your own tool shows a degree of expertise that’s a bit more advanced than what you would usually find in these sorts of intrusions,” Acin said, noting that most breaches happen via readily available exploits and stolen credentials.

Talos said the use of reverse-proxy tools overlaps with tactics, techniques, and procedures “employed by several threat groups originating from China,” but the guess can only be made with “low confidence” based on the choice of target and use of tools that can be used by any threat actor.

“When you find something that’s completely new, and previously not used in a very small environment, like a single target…then it’s very likely that it can be attributed to a single group. And so this new backdoor that we’ve discovered, which we named Zardoor, indicates that there may be a new group or there is a new tool that’s used by some existing groups that we haven’t been able to attribute at the moment,” Svajcer told IT Brew.