Telecommunication service providers in the Middle East have fallen prey to a novel cyber threat, ShroudedSnooper, which deploys a highly covert backdoor known as HTTPSnoop.
Furthermore, this malicious intrusion set, according to Cisco Talos, employs innovative techniques to interface with Windows HTTP kernel drivers and devices, enabling it to monitor incoming requests for specific HTTP(S) URLs and execute their content on the compromised endpoints. In addition to HTTPSnoop, the threat actor’s arsenal includes a sister implant named PipeSnoop, which can accept arbitrary shellcode via a named pipe and execute it on the infected system.
ShroudedSnooper appears to focus on exploiting internet-facing servers to gain initial access to targeted environments. Intriguingly, both HTTPSnoop and PipeSnoop disguise themselves as components of Palo Alto Networks’ Cortex XDR application (“CyveraConsole.exe”) in an effort to remain inconspicuous and evade detection.
Notably, the malware comes in three different HTTPSnoop samples and utilizes low-level Windows APIs to eavesdrop on incoming requests that match predefined URL patterns. These requests are then used to extract shellcode, which is subsequently executed on the compromised host. PipeSnoop, on the other hand, seems to be intended for use within a compromised enterprise environment, suggesting a distinct purpose compared to HTTPSnoop.
Additionally, this latest cyber threat underscores a concerning pattern of attacks targeting the telecom sector, particularly in the Middle East, over recent years. In previous incidents, various threat actors and collectives, such as Lebanese Cedar, MuddyWater, BackdoorDiplomacy, WIP26, and Granite Typhoon, have conducted espionage campaigns against telecom operators in the region.
These attacks raise significant cybersecurity concerns and highlight the need for robust defenses within the telecommunications industry in the Middle East to protect against emerging and persistent threats like ShroudedSnooper.