Threat actors are reportedly spreading a new type of malware, which is probably part of a covert espionage operation that has been ongoing since March 2021. “Zardoor” is the name of this new malware backdoor. Reverse proxy tools are used in several sophisticated strategies used by this malware to avoid detection and be persistent for several years.

Furthermore, the threat actor has been deploying the backdoor and gaining C2 access over the compromised computers by employing living-off-the-land binaries. However, as of right now, this backdoor has only compromised one target, an Islamic non-profit organization.

The usage of reverse proxy techniques, which are primarily employed by TTPs of threat organizations with Chinese origins, has led to speculation that the threat actor may be based in China.

Stealthy Zardoor Malware

Although the threat actor uses open-source reverse proxy tools like Fast Reverse Proxy (FRP), sSocks, and Venom—which are widely utilized by penetration testers—the initial access vector of this backdoor remains unknown.

After gaining access to the infected machine, the threat actor spreads the backdoor and other attacker tools by moving laterally and utilizing Windows Management Instrumentation.

Execution of Zardoor Backdoor

The purpose of this backdoor is to allow continuous access to the hacked machine. which makes use of multiple DLL files, including “zor32.dll” and “zar32.dll.” It is discovered that “zar32.dll” is the primary backdoor component that interacts with the C2 server, while “zor32.dll” makes sure that zar32.dll has been installed with the appropriate administrator rights.

Although the backdoor initial dropper has not yet been located, the samples gathered indicate that its primary function is to set up “msdtc.exe” to load the malicious payload “oci.dll.”

To start “zar32.dll,” the msdtc.exe executes ServiceMain(). Rundll32.exe C:WINDOWSsystem32zar32.dll MainEntry is used to load this malicious DLL. Rundll32.exe C:WINDOWSsystem32zor32.dll MainEntry loads the “Zor32.dll” from the same exported method while this is running.

Following complete connection establishment, “zar32.dll” can execute the following C2 commands:

1. Encrypt and send data to C2.
2. Search for the session ID.
3. Remote shellcode execution.
4. Execute remotely fetched PE payload.
5. Delete this RAT.
6. Update C2 IP.

Talos offers comprehensive details on the DLL behavior, methods used, source code, and other information.