A recent cyberespionage campaign has introduced a new malware backdoor, referred to as “Zardoor,” targeting an Islamic non-profit organization. Cybersecurity experts have been monitoring the campaign’s activity which is speculated to have Chinese origins. This sophisticated malware uses a variety of methods to avoid detection while establishing long-term access within compromised networks.
Advanced Infiltration and Persistence Strategies
Zardoor employs several advanced strategies to infiltrate systems and evade traditional security measures. The malware makes use of reverse proxy tools, such as Fast Reverse Proxy (FRP), sSocks, and Venom. These tools are often favored by penetration testers and help the malware to remain undetected while establishing a presence within the target system. To move laterally and propagate, the threat actors utilize native Windows tools, exploiting the Windows Management Instrumentation.
Complex Execution Mechanism of Zardoor
This malware is built to ensure persistent unauthorized access to victim networks. It leverages multiple Dynamic Link Library (DLL) files, including “zar32.dll” for communication with the command and control (C2) server and “zor32.dll” to confirm adequate privilege levels for the main backdoor component. The exact means of initial deployment remains unidentified, though the dropper is designed to manipulate the “msdtc.exe” process to load a malicious payload known as “oci.dll.”
The execution process involves the service ‘ServiceMain()’ that triggers the ‘msdtc.exe’ to load the “zar32.dll” using a specific command. Simultaneously, “zor32.dll” gets loaded using a similar command, ensuring both components are active and operating in tandem.
Once the connection is established, the “zar32.dll” can carry out various commands from the C2, ranging from encrypting and sending data, to executing payloads and remote shellcode, and even self-deletion to avoid tracing.
Talos, a cybersecurity firm, has provided an in-depth analysis of Zardoor’s source code, mechanisms, and behaviors. This comprehensive insight into the malware’s technical workings is available on their platform.
Cybersecurity vigilance is essential as sophisticated threats like Zardoor emerge. Staying informed about the latest security news and insights can help organizations protect their networks from these advanced cyber threats.
