- From Alerts to Action: How AI Empowers SOC Analysts to Make Better Decisions
- Herencia, propósito y creatividad confluyen sobre un manto tecnológico en los irrepetibles UMusic Hotels
- OpenAI, SoftBank, Oracle lead $500B Project Stargate to ramp up AI infra in the US
- 오픈AI, 700조원 규모 'AI 데이터센터' 프로젝트 착수··· 소프트뱅크·오라클 참여
- From Election Day to Inauguration: How Cybersecurity Safeguards Democracy | McAfee Blog
Sophisticated Cyber-Attack Hits Islamic Charity in Saudi Arabia
An Islamic charitable non-profit organization based in Saudi Arabia has been the target of a prolonged cyber-espionage campaign. The campaign began in May 2023 and involved sophisticated tactics employed by an unidentified threat actor.
According to a new advisory by cybersecurity firm Talos, the attackers, whose initial access vector remained undisclosed, used malware dubbed “Zardoor” to establish persistence within the target organization’s network.
To evade detection, they made extensive use of open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks and Venom. These tools were customized to minimize dependencies and execute commands seamlessly.
Once inside the network, the threat actor employed Windows Management Instrumentation (WMI) to move laterally and execute commands remotely. They deployed a series of backdoors, including “zar32.dll” and “zor32.dll,” to maintain access and exfiltrate data from the compromised systems.
To ensure persistence, the attackers employed various techniques, including the manipulation of system services and the creation of scheduled tasks. Additionally, they utilized reverse proxies to establish communication with external servers, making it difficult to detect malicious traffic.
The threat actor’s use of tools like FRP and Venom underscores their sophistication, as these are legitimate tools repurposed for malicious activities. Such tactics increase the stealthiness of the attack and complicate efforts to identify and mitigate the threat.
“The threat actor appears highly skilled based on their ability to create new tooling, such as the Zardoor backdoors, customize open-source proxy tools and leverage several LoLBins including ‘msdtc.exe’ to evade detection,” Talos wrote.
“In particular, side-loading backdoors contained in ‘oci.dll’ via MSDTC is a very effective method of remaining undetected while maintaining long-term access to a victim’s network.”
Despite extensive analysis, Talos was unable to attribute this campaign to any known threat actor. The level of expertise demonstrated by the attackers, coupled with their ability to create and customize tools, suggested the involvement of an advanced and skilled adversary.
