Saturday, December 9, 2023

Hackers Attacking Telecoms Servers With HTTPSnoop Malware

In 2022, state-sponsored actors and advanced adversaries consistently targeted telecoms globally, making it a top sector in Talos IR cases.

Telecom firms with critical infrastructure assets are prime targets due to their role in national networks and as potential gateways for adversaries.

Cybersecurity researchers at Cisco Talos recently found a new malware, “HTTPSnoop,” targeting Middle East telecom companies, using unique methods to interface with Windows HTTP kernel drivers for URL-based content execution.

The implant cluster, including HTTPSnoop and PipeSnoop, with unique TTPs, is attributed to a new intrusion set named “ShroudedSnooper” as it doesn’t match known groups tracked by Talos.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Variants of HTTPSnoop

In total, the attackers built three variants of HTTPSnoop:-

  • Variant 1: DLL-based HTTPSnoop variants use DLL hijacking in benign apps, with the first variant from April 17, 2023, binding to HTTP URLs resembling Microsoft’s EWS API for shellcode execution.
  • Variant 2: The second variant, created on April 19, 2023, resembles the initial HTTPSnoop version but targets different HTTP URLs on Ports 80 and 443, possibly for a non-EWS web server that is exposed.
  • Variant 3: Later, they created a third variant with a killswitch URL and another listening URL on April 29, 2023, likely to lower detection risks by limiting the URLs.

HTTPSnoop Malware Interface

HTTPSnoop and PipeSnoop posed as components of Palo Alto Networks’ Cortex XDR app, with altered compile timestamps suggesting operation during the v7.8 window (Aug 2022 – Apr 2023).

HTTPSnoop is a basic but efficient backdoor that does the following things:-

  • Uses low-level Windows APIs to interact with HTTP devices
  • Listen for specific URL patterns
  • Executes decoded shellcode from incoming requests

There are two key components that the analyzed DLL consists of, and here below, we have mentioned them:-

  • Encoded Stage 2 shellcode.
  • Encoded Stage 2 configuration.

The activated malicious DLL XOR also decodes and runs the Stage 2 configuration and shellcode.

Single byte XOR routine (Source – Cisco Talos)

PipeSnoop, created in May 2023, is a distinct implant designed for different environments and likely used in enterprises with IPC pipe I/O capabilities.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Website

Latest articles

WordPress POP Chain Flaw Exposes Over 800M+ Websites to Attack

A critical remote code execution vulnerability has been patched as part of the Wordpress...

Russian Star Blizzard New Evasion Techniques to Hijack Email Accounts

Hackers target email accounts because they contain valuable personal and financial information. Successful email...

Exploitation Methods Used by PlugX Malware Revealed by Splunk Research

PlugX malware is sophisticated in evasion, as it uses the following techniques to avoid...

TA422 Hackers Attack Organizations Using Outlook & WinRAR Vulnerabilities

Hackers exploit Outlook and WinRAR vulnerabilities because these widely used software programs are lucrative...

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Endpoint Strategies for 2024 and beyond

Converge and Defend

What's the pulse of Unified Endpoint Management and Security (UEMS) in Europe? Join us live to uncover the strategies that are defining endpoint security in the region.

Related Articles