ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies

Sep 19, 2023THNMalware / Cyber Threat

Telecommunication work providers successful the Middle East are the people of a caller intrusion acceptable dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.

"HTTPSnoop is simply a simple, yet effective, backdoor that consists of caller techniques to interface with Windows HTTP kernel drivers and devices to perceive to incoming requests for circumstantial HTTP(S) URLs and execute that contented connected the infected endpoint," Cisco Talos said successful a study shared with The Hacker News.

Also portion of the menace actor's arsenal is simply a sister implant codenamed PipeSnoop that tin judge arbitrary shellcode from a named pipe and execute it connected the infected endpoint.

It's suspected that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to summation archetypal entree to people environments, with some the malware strains impersonating components of Palo Alto Networks' Cortex XDR exertion ("CyveraConsole.exe") to alert nether the radar.

Three antithetic HTTPSnoop samples person been detected to date. The malware uses low-level Windows APIs to perceive for incoming requests matching predefined URL patterns, which are past picked up to extract the shellcode to beryllium executed connected the host.

"The HTTP URLs utilized by HTTPSnoop on with the binding to the built-in Windows web server bespeak that it was apt designed to enactment connected internet-exposed web and EWS servers," Talos researchers said. "PipeSnoop, however, arsenic the sanction whitethorn imply, reads and writes to and from a Windows IPC tube for its input/output (I/O) capabilities."

"This suggests the implant is apt designed to relation further wrong a compromised endeavor – alternatively of public-facing servers similar HTTPSnoop — and astir apt is intended for usage against endpoints the malware operators deem much invaluable oregon high-priority."

The quality of the malware indicates that PipeSnoop cannot relation arsenic a standalone implant and that it requires an auxiliary component, which acts arsenic a server to get the shellcode via different methods, and usage the named tube to walk it connected the backdoor.

The targeting of the telecom sector, peculiarly successful the Middle East, has go something of a pattern successful caller years.

Stay up with actionable insights connected however ITDR identifies and mitigates threats. Learn astir the indispensable relation of SSPM successful ensuring your individuality remains unbreachable.

In January 2021, ClearSky uncovered a acceptable of attacks orchestrated by Lebanese Cedar that was aimed astatine telecom operators successful the U.S., the U.K., and Middle-East Asia. Later that December, Broadcom-owned Symantec shed airy connected an espionage campaign targeting telecom operators successful the Middle East and Asia by a apt Iranian menace histrion known arsenic MuddyWater (aka Seedworm).

Other adversarial collectives tracked nether the monikers BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium) person besides been attributed to attacks connected telecommunication work providers successful the portion implicit the past year.

Found this nonfiction interesting? Follow america connected Twitter  and LinkedIn to work much exclusive contented we post.