HTTPSnoop Malware Targets Middle East

In the Middle East, telecommunication service providers have become the focus of a new intrusion operation known as ShroudedSnooper. This operation utilizes a covert backdoor called HTTPSnoop.

According to a report shared with The Hacker News by Cisco Talos, HTTPSnoop is described as a straightforward yet efficient backdoor. It incorporates innovative techniques to interact with Windows HTTP kernel drivers and devices, allowing it to monitor incoming requests for specific HTTP(S) URLs and execute the associated content on the infected endpoint.

Additionally, the threat actor possesses another implant called PipeSnoop. This implant, codenamed PipeSnoop, is capable of accepting arbitrary shellcode through a named pipe and executing it on the compromised endpoint.

It is suspected that ShroudedSnooper targets internet-facing servers and deploys HTTPSnoop to gain initial access to the target environments. Both of these malware strains masquerade as components of Palo Alto Networks' Cortex XDR application, specifically "CyveraConsole.exe," in an attempt to avoid detection.

HTTPSnoop Comes in Different Flavors

To date, three different variants of HTTPSnoop have been identified. The malware relies on low-level Windows APIs to monitor incoming requests that match predefined URL patterns. It then extracts the shellcode, which is subsequently executed on the host.

These HTTP URLs mimic those associated with Microsoft Exchange Web Services, OfficeTrack, and provisioning services linked to an Israeli telecommunications company. This is done in an effort to make the malicious requests appear nearly identical to legitimate traffic.

Talos researchers noted that the HTTP URLs used by HTTPSnoop, along with its binding to the built-in Windows web server, suggest that it was likely designed to operate on internet-exposed web and EWS servers. In contrast, PipeSnoop, as implied by its name, reads and writes data to and from a Windows IPC pipe for input/output (I/O) functions.

This indicates that PipeSnoop is probably intended for use within a compromised enterprise environment, rather than public-facing servers like HTTPSnoop. It is likely meant for targeting endpoints that the malware operators consider more valuable or high-priority.

The nature of the malware suggests that PipeSnoop cannot function as a standalone implant and requires an auxiliary component to act as a server for obtaining the shellcode through alternative methods and passing it through the named pipe to the backdoor.

Targeting the telecommunications sector, especially in the Middle East, has become a recurring trend in recent years. Various threat actors, including Lebanese Cedar, MuddyWater (aka Seedworm), BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium), have been linked to attacks on telecommunication service providers in the region over the past year.