In the Middle East, telecommunication service providers face a growing cybersecurity threat in the form of a new intrusion set known as ShroudedSnooper.

This malicious campaign employs a stealthy backdoor called Httpsnoop, designed to infiltrate target systems discreetly. Cisco Talos, a prominent cybersecurity research firm, recently shed light on this threat.

HTTPSnoop, A Simple and Stealthy Backdoor

HTTPSnoop is a sophisticated backdoor, noted for its simplicity and effectiveness. It utilizes innovative techniques to interface with Windows HTTP kernel drivers and devices, enabling it to Monitor Incoming Requests for specific HTTP(S) URLs and execute the associated content on the compromised endpoint.

This technique allows Threat Actors to gain unauthorized access and execute malicious actions on the infected systems.

Another component of ShroudedSnooper’s arsenal is a sister implant named PipeSnoop. PipeSnoop has the capability to accept arbitrary shellcode from a named pipe and execute it on the compromised endpoint. This multifaceted approach enhances the threat actor’s ability to carry out malicious activities while evading detection.

ShroudedSnooper is believed to target internet-facing servers, utilizing HTTPSnoop to establish initial access to target environments. Notably, both malware strains disguise themselves as components of Palo Alto Networks’ Cortex XDR application, specifically as “CyveraConsole.exe,” a tactic employed to remain covert during their operations.

Researchers have identified three distinct samples of HTTPSnoop to date. This malware relies on low-level Windows APIs to monitor incoming requests that match predefined URL patterns.

It then extracts the shellcode from these requests and executes it on the compromised host. This behavior suggests that HTTPSnoop is primarily designed to operate on internet-exposed web and EWS servers.

On the other hand, PipeSnoop operates differently, reading and writing to and from a Windows IPC pipe for its input/output (I/O) capabilities. This implies that PipeSnoop likely functions within a compromised enterprise environment, as opposed to public-facing servers like HTTPSnoop. Its purpose appears to be targeting endpoints that the threat actors deem more valuable or high-priority.

Importantly, PipeSnoop cannot function as a standalone implant; it requires an auxiliary component that acts as a server to obtain the shellcode through alternative methods and then uses the named pipe to pass it to the backdoor.

This recent targeting of the telecommunications sector, especially in the Middle East, follows a concerning pattern observed in recent years. Various threat actors, such as Lebanese Cedar, MuddyWater (aka Seedworm), BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium), have targeted telecommunication service providers in this region.

This underscores the importance of robust cybersecurity measures for organizations operating in the telecom sector and the need for ongoing vigilance against evolving threats.