A recent report reveals that two Middle East-based telecommunications organizations have fallen victim to a potentially novel threat actor. The intrusion set, known as “ShroudedSnooper,” utilizes two backdoors named “HTTPSnoop” and “PipeSnoop” with previously unseen methods of injecting malicious shellcode onto targeted systems.
The ShroudedSnooper attacks are particularly stealthy, making it difficult to associate them with any known threat groups. The backdoors employ sophisticated anti-detection techniques by disguising themselves as popular software products and infecting low-level components of Windows servers. Once inside a network, these backdoors execute shellcode, providing the attackers with persistent access to move laterally, exfiltrate data, or deploy additional malware.
The initial intrusion method used by ShroudedSnooper remains unclear. It is suspected that the attackers first exploit vulnerable Internet-facing servers, using HTTPSnoop either as an executable file or a dynamic-link library to establish initial access. Instead of dropping a web shell directly onto the target Windows server, HTTPSnoop utilizes low-level Windows APIs to interact with the HTTP server, binding itself to specific HTTP(S) URL patterns. By doing so, it appears as a legitimate part of the server’s functionality.
To further mask its illicit activities, ShroudedSnooper uses URL patterns that emulate popular software, making it difficult to detect its presence. Even security analysts would be challenged to identify the malicious behavior without specific knowledge of the attack.
The threat actor behind ShroudedSnooper has enhanced its capabilities with the introduction of an upgraded version of HTTPSnoop called “PipeSnoop.” This new variant performs similar functions as HTTPSnoop but utilizes preexisting pipes for inter-process communication to run arbitrary shellcode.
Stopping ShroudedSnooper poses challenges due to its stealthy nature. While victims can manually search for the backdoors by examining registered URLs and associated callbacks, this process can be intricate and time-consuming. Instead, focusing on prevention is essential. Organizations should leverage existing security tools to detect earlier stages of intrusion before the backdoors are implanted, as they require high privileges to function.
The emergence of ShroudedSnooper serves as a reminder to telecom companies to implement robust security measures to defend against these advanced threats.