20 September 2023

New ShroudedSnooper group targets telcos in the Middle East


New ShroudedSnooper group targets telcos in the Middle East

Telecommunications providers in the Middle East are targeted by a new threat actor dubbed ‘ShroudedSnooper’ in a cyber espionage campaign that deploys novel malware named ‘HTTPSnoop’ and ‘PipeSnoop.’

“HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint,” a new report from Cisco’s Talos threat research group explains.

The PipeSnoop tool can accept arbitrary shellcodes from a named pipe and execute it on the infected endpoint.

According to the team, both implants are masqueraded as components of Palo Alto Networks’ Cortex XDR software decommissioned in August 2023.

The researchers believe that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to gain initial access to target environments.

Unlike HTTPSnoop, PipeSnoop doesn’t rely on initiating and listening for incoming connections via an HTTP server.

“The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint,” the researchers said.

“Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact,” the team noted. “These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.”

Back to the list

Latest Posts

Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

Critical Aviatrix Controller flaw exploited to install backdoors and cryptominers

The vulnerability allows attackers to escalate privileges and gain full control of cloud resources.
13 January 2025
Over 4K active hacker backdoors found in expiring or abandoned domains

Over 4K active hacker backdoors found in expiring or abandoned domains

Several of the web shells had been backdoored by their original maintainers, leaking critical information.
13 January 2025
Microsoft takes legal action against hackers exploiting AI for malicious purposes

Microsoft takes legal action against hackers exploiting AI for malicious purposes

The group accessed generative AI services and manipulated the system to produce harmful content.
13 January 2025