Telecommunication service providers in the Middle East have recently been targeted by a new intrusion set called ShroudedSnooper. This malware employs a stealthy backdoor called HTTPSnoop to gain unauthorized access to target environments.
Cisco Talos, in a report, describes HTTPSnoop as a simple but effective backdoor that interfaces with Windows HTTP kernel drivers and devices. It listens to incoming requests for specific HTTP(S) URLs and executes the content on the infected endpoint. Additionally, ShroudedSnooper makes use of a sister implant named PipeSnoop, which can accept arbitrary shellcode from a named pipe and execute it on the infected system.
It is believed that ShroudedSnooper exploits internet-facing servers to deploy HTTPSnoop and gain initial access to target environments. Both malware strains impersonate components of Palo Alto Networks’ Cortex XDR application to evade detection.
Three different samples of HTTPSnoop have been identified thus far. The malware uses low-level Windows APIs to listen for incoming requests that match predefined URL patterns, extracting the shellcode to be executed on the infected host.
While HTTPSnoop focuses on public-facing servers, PipeSnoop is designed to operate within compromised enterprise environments. It likely targets more valuable or high-priority endpoints.
It’s important to note that PipeSnoop cannot function as a standalone implant and requires an auxiliary component to obtain shellcode through alternative methods and use the named pipe to pass it on to the backdoor.
The telecom sector in the Middle East has increasingly come under attack in recent years. Various threat actors, including Lebanese Cedar, MuddyWater, BackdoorDiplomacy, WIP26, and Granite Typhoon, have been attributed to cyberattacks on telecommunication service providers in the region.
All ISP's
