New malware named HTTPSnoop and PipeSnoop have been used in cyberattacks on telecommunication service providers in the Middle East. These malware allow threat actors to remotely execute commands on infected devices.
The HTTPSnoop malware interacts with Windows HTTP kernel drivers and devices to execute content on infected endpoints based on specific HTTP(S) URLs. It monitors HTTP(S) traffic on the infected device for these URLs and decodes incoming base64-encoded data from those URLs. The decoded data is then run as a shellcode on the compromised host. HTTPSnoop is disguised as a security component of the Palo Alto Networks Cortex XDR product to avoid detection.
PipeSnoop, on the other hand, accepts and executes arbitrary shellcode from a named pipe. It acts as a backdoor that executes shellcode payloads on breached endpoints through Windows IPC pipes. Unlike HTTPSnoop, which appears to target public-facing servers, PipeSnoop is more suited for operations deep within compromised networks. The specific component that supplies the shellcode for PipeSnoop has not been identified.
According to Cisco Talos, the two implants belong to the same intrusion set called ‘ShroudedSnooper’ but serve different operational goals in terms of infiltration level. Both implants masquerade as security components of the Palo Alto Networks Cortex XDR product to evade detection.
These cyberattacks on telecommunication service providers highlight the urgent need for enhanced security measures and international cooperation to safeguard critical infrastructure and protect sensitive information. Telecommunication service providers often become targets of state-sponsored threat actors due to their crucial role in running networks and relaying sensitive data. It is crucial for organizations in the telecommunications industry to implement strong security measures to defend against such attacks.