In 2022, state-sponsored actors and advanced adversaries consistently targeted telecoms globally, making it a top sector in Talos IR cases.
Telecom firms with critical infrastructure assets are prime targets due to their role in national networks and as potential gateways for adversaries.
Cybersecurity researchers at Cisco Talos recently found a new malware, “HTTPSnoop,” targeting Middle East telecom companies, using unique methods to interface with Windows HTTP kernel drivers for URL-based content execution.
The implant cluster, including HTTPSnoop and PipeSnoop, with unique TTPs, is attributed to a new intrusion set named “ShroudedSnooper” as it doesn’t match known groups tracked by Talos.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Variants of HTTPSnoop
In total, the attackers built three variants of HTTPSnoop:-
- Variant 1: DLL-based HTTPSnoop variants use DLL hijacking in benign apps, with the first variant from April 17, 2023, binding to HTTP URLs resembling Microsoft’s EWS API for shellcode execution.
- Variant 2: The second variant, created on April 19, 2023, resembles the initial HTTPSnoop version but targets different HTTP URLs on Ports 80 and 443, possibly for a non-EWS web server that is exposed.
- Variant 3: Later, they created a third variant with a killswitch URL and another listening URL on April 29, 2023, likely to lower detection risks by limiting the URLs.
HTTPSnoop Malware Interface
HTTPSnoop and PipeSnoop posed as components of Palo Alto Networks’ Cortex XDR app, with altered compile timestamps suggesting operation during the v7.8 window (Aug 2022 – Apr 2023).
HTTPSnoop is a basic but efficient backdoor that does the following things:-
- Uses low-level Windows APIs to interact with HTTP devices
- Listen for specific URL patterns
- Executes decoded shellcode from incoming requests
There are two key components that the analyzed DLL consists of, and here below, we have mentioned them:-
- Encoded Stage 2 shellcode.
- Encoded Stage 2 configuration.
The activated malicious DLL XOR also decodes and runs the Stage 2 configuration and shellcode.
PipeSnoop, created in May 2023, is a distinct implant designed for different environments and likely used in enterprises with IPC pipe I/O capabilities.