Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop.
"HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint," Cisco Talos said in a report shared with The Hacker News.
Also part of the threat actor's arsenal is a sister implant codenamed PipeSnoop that can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
It's suspected that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to gain initial access to target environments, with both the malware strains impersonating components of Palo Alto Networks' Cortex XDR application ("CyveraConsole.exe") to fly under the radar.
Three different HTTPSnoop variants have been detected to date. The malware uses low-level Windows APIs to listen for incoming requests matching predefined URL patterns, which are then picked up to extract the shellcode to be executed on the host.
These HTTP URLs imitate those from Microsoft Exchange Web Services, OfficeTrack, and provisioning services associated with an Israeli telecommunications company in an attempt to make malicious requests nearly indistinguishable from benign traffic.
"The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers," Talos researchers said. "PipeSnoop, however, as the name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities."
"This suggests the implant is likely designed to function further within a compromised enterprise – instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority."
The nature of the malware indicates that PipeSnoop cannot function as a standalone implant and that it requires an auxiliary component, which acts as a server to obtain the shellcode via other methods, and use the named pipe to pass it on the backdoor.
The targeting of the telecom sector, particularly in the Middle East, has become something of a pattern in recent years.
In January 2021, ClearSky uncovered a set of attacks orchestrated by Lebanese Cedar that was aimed at telecom operators in the U.S., the U.K., and Middle-East Asia. Later that December, Broadcom-owned Symantec shed light on an espionage campaign targeting telecom operators in the Middle East and Asia by a likely Iranian threat actor known as MuddyWater (aka Seedworm).
Other adversarial collectives tracked under the monikers BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium) have also been attributed to attacks on telecommunication service providers in the region over the past year.
"Telecommunications organizations have tremendous visibility into internet traffic, both retail and enterprise related," Talos researchers said. "Furthermore, most telecommunications infrastructure often comprises backbone networks that are critical to establishing connectivity both within and outside countries and are therefore of high value for state sponsored groups."
(The story has been updated after publication to include responses from Cisco Talos researchers.)
