Telecommunications providers in the Middle East are targeted by a new threat actor dubbed ‘ShroudedSnooper’ in a cyber espionage campaign that deploys novel malware named ‘HTTPSnoop’ and ‘PipeSnoop.’
“HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint,” a new report from Cisco’s Talos threat research group explains.
The PipeSnoop tool can accept arbitrary shellcodes from a named pipe and execute it on the infected endpoint.
According to the team, both implants are masqueraded as components of Palo Alto Networks’ Cortex XDR software decommissioned in August 2023.
The researchers believe that ShroudedSnooper exploits internet-facing servers and deploys HTTPSnoop to gain initial access to target environments.
Unlike HTTPSnoop, PipeSnoop doesn’t rely on initiating and listening for incoming connections via an HTTP server.
“The key requirement here is that the named pipe that PipeSnoop connects to should have been already created/established - PipeSnoop does not attempt to create the pipe, it simply tries to connect to it. This capability indicates that PipeSnoop cannot function as a standalone implant (unlike HTTPSnoop) on the endpoint,” the researchers said.
“Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact,” the team noted. “These entities often form the backbone of national satellite, internet and telephone networks upon which most private and government services rely. Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers or third-party providers.”