ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies

Cyber Security Threat Summary:
In the Middle East, telecommunication service providers are facing a new cyber threat known as ShroudedSnooper. This intrusion set employs a stealthy backdoor called HTTPSnoop, as reported by Cisco Talos. HTTPSnoop is a backdoor that uses innovative techniques to interface with Windows HTTP kernel drivers and devices. It listens for incoming requests for specific HTTP(S) URLs and executes their content on the infected system. The threat actor also utilizes another tool called PipeSnoop, which can accept arbitrary shellcode through a named pipe and execute it on the infected system. ShroudedSnooper is believed to target internet-facing servers, deploying HTTPSnoop to gain initial access to target environments. Both malware strains disguise themselves as components of Palo Alto Networks' Cortex XDR application ("CyveraConsole[.]exe") to avoid detection. Three different samples of HTTPSnoop have been identified. This malware leverages low-level Windows APIs to monitor incoming requests that match predefined URL patterns, extracting shellcode for execution on the host. HTTPSnoop appears to be designed for internet-exposed web and EWS servers, while PipeSnoop is likely intended for use within compromised enterprise environments rather than public-facing servers. PipeSnoop relies on an auxiliary component to function, which acts as a server to obtain shellcode through other methods and then passes it through the named pipe to activate the backdoor.

Security Officer Comments:
Targeting the telecommunications sector, particularly in the Middle East, has become a recurring trend in recent years. For instance, in January 2021, ClearSky uncovered a series of attacks orchestrated by Lebanese Cedar, which targeted telecom operators in the U.S., the U.K., and Asia. Similarly, in December of the same year, Symantec, now owned by Broadcom, revealed an espionage campaign that focused on telecom operators in the Middle East and Asia, likely orchestrated by an Iranian threat actor known as MuddyWater (also known as Seedworm).

Additionally, various adversarial groups, such as BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium), have also been linked to attacks on telecommunication service providers in the region over the past year.

Suggested Correction(s):
Researchers at Cisco Talos have published IOCs that can be used to detect the ShrouddedSnooper malware: