Skip to main content

Featured

Essential Steps to Protect Your WordPress Site from Hackers

10 steps you can take to protect your WordPress   In today's digital age, the threat of hackers targeting websites is ever-present. As a WordPress site owner, it's crucial to implement robust security measures to safeguard your online presence. Here are some essential steps to protect your WordPress site from hackers: Keep WordPress Updated: Ensure that your WordPress core, themes, and plugins are always up to date. Developers frequently release updates to patch security vulnerabilities, and failing to update leaves your site susceptible to exploitation. Use Strong Passwords: Weak passwords are an open invitation to hackers. Choose complex passwords comprising a mix of uppercase and lowercase letters, numbers, and special characters. Additionally, consider using a password manager to generate and store secure passwords. Limit Login Attempts: Implement measures to restrict the number of login attempts allowed within a specified timeframe. This prevents brute force attacks whe...
Post a Comment
Read more

Stealthy Zardoor Backdoor Targets Saudi Islamic Charity Organization

 

Stealthy Zardoor Backdoor

An unnamed Islamic non-profit organization in Saudi Arabia has been targeted as part of a stealthy cyber espionage campaign designed to drop a previously undocumented backdoor called Zardoor.

Cisco Talos, which discovered the activity in May 2023, said the campaign has likely persisted since at least March 2021, adding it has identified only one compromised target to date, although it's suspected that there could be other victims.

"Throughout the campaign, the adversary used living-off-the-land binaries (LoLBins) to deploy backdoors, establish command-and-control (C2), and maintain persistence," security researchers Jungsoo An, Wayne Lee, and Vanja Svajcer said, calling out the threat actor's ability to maintain long-term access to victim environments without attracting attention.

The intrusion targeting the Islamic charitable organization involved the periodic exfiltration of data roughly twice a month. The exact initial access vector used to infiltrate the entity is currently unknown.

Stealthy Zardoor Backdoor

The foothold obtained, however, has been leveraged to drop Zardoor for persistence, followed by establishing C2 connections using open-source reverse proxy tools such as Fast Reverse Proxy (FRP), sSocks, and Venom.

"Once a connection was established, the threat actor used Windows Management Instrumentation (WMI) to move laterally and spread the attacker's tools — including Zardoor — by spawning processes on the target system and executing commands received from the C2," the researchers said.

The as-yet-undetermined infection pathway paves the way for a dropper component that, in turn, deploys a malicious dynamic-link library ("oci.dll") that's responsible for delivering two backdoor modules, "zar32.dll" and "zor32.dll."

While the former is the core backdoor element that facilitates C2 communications, the latter ensures that "zar32.dll" has been deployed with administrator privileges. Zardoor is capable of exfiltrating data, executing remotely fetched executables and shellcode, updating the C2 IP address, and deleting itself from the host.

The origins of the threat actor behind the campaign are unclear, and it does not share any tactical overlaps with a known, publicly reported threat actor at this time. That said, it's assessed to be the work of an "advanced threat actor."

Comments

Post a Comment