A previously unknown attack group has been targeting telecommunications providers in Middle Eastern countries with a custom backdoor that in some cases is disguised as a legitimate security application.
The new threat group appears to have been operating for several years at least and researchers with Cisco Talos have named the group ShroudedSnooper. The group uses at least two separate implants, known as HTTPSnoop and PipeSnoop, and likely is gaining initial access to its targets by compromising Internet-facing servers. Telcos have been a prime target for many APT groups for some time as they can give attackers a key leverage point from which to steal sensitive information and gather intelligence on a wide range of organizations. In many countries telcos are government-operated entities, which makes them even more attractive targets.
The Talos researchers identified multiple variants of HTTPSnoop and PipeSnoop, including one that masquerades as the Palo Alto Networks Cortex XDR app. Those variants were disguised as a version of the XDR app that was released in August 2022 and eliminated in April 2023.
“HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests. Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint,” the Talos researchers said.
“The DLL-based variants of HTTPSnoop usually rely on DLL hijacking in benign applications and services to get activated on the infected system. The attackers initially crafted the first variant of the implant on April 17, 2023, so that it could bind to specific HTTP URLs on the endpoint to listen for incoming shellcode payloads that are then executed on the infected endpoint. These HTTP URLs resemble those of Microsoft’s Exchange Web Services (EWS) API, a product that enables applications to access mailbox items.”
PipeSnoop is a companion implant to HTTPSnoop that the researchers believe is an upgraded version of HTTPSnoop and is designed to work in a different way. PipeSnoop executes arbitrary shellcode and likely works in conjunction with a separate component that the researchers have not yet discovered.
“As indicated by the name, PipeSnoop will simply attempt to connect to a pre-existing named pipe on the system. Named pipes are a common means of Inter-Process Communication (IPC) on the Windows operating system. The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it,” the researchers said.
“This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint. It needs a second component, that acts as a server that will obtain arbitrary shellcode via some methods and will then feed the shellcode to PipeSnoop via the named pipe.”
The Talos researchers did not specify which countries ShroudedSnooper has targeted with its implants, but said that it has disclosed the findings to Palo Alto Networks and Microsoft.