Zingdoor

Zingdoor is a new HTTP backdoor written in Go. While we first encountered Zingdoor in April 2023, some logs indicate that the earliest developments of this backdoor took place in June 2022. However, it had rarely been seen in the wild and had only been observed being used in a limited number of victims, likely as a newly designed backdoor with cross-platform capabilities. Zingdoor is packed using UPX and heavily obfuscated by a custom obfuscator engine.

We noted that Zingdoor adopts anti-UPX unpacking techniques. Generally, the magic number of UPX is “UPX!”, but in this case it was modified to “MSE!”, and the UPX application cannot unpack this modified file. This technique is easy and in internet of things (IoT) types of malware, but it is considered rare in APT activities.

Zingdoor was disguised as mpclient.dll and designed to run via DLL sideloading by abusing Windows defender binary MsSecEs.exe. Upon running the executable, Zingdoor registers the current parent process as a Windows service with the name "MsSecEsSvc" for persistence and starts it. As a service process, Zingdoor connects and waits for a command from the command-and-control (C&C) server. Based on the functions defined in the backdoor, it supports the following capabilities:

Get system information
Get Windows service information
Disk management (file upload/download, file enumeration)
Run arbitrary commands
figure2-earth-estries-targets-government-tech-for-cyberespionage

Figure 2. Modified UPX header for anti-UPX unpacking technique