Pierluigi Paganini
September 19, 2023
Cisco Talos researchers recently discovered a new stealthy implant dubbed HTTPSnoop that was employed in attacks against telecommunications providers in the Middle East.
The HTTPSnoop backdoor supports novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs. The malicious code also enables operators to execute arbitrary code on the infected endpoint.
The researchers also discovered a twin implant to HTTPSnoop tracked as “PipeSnoop,” which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint.
The activity involving HTTPSnoop and PipeSnoop and associated tactics, techniques, and procedures (TTPs) of the threat actors behind it do not match a known threat group. Cisco Talos experts tracked the threat actors as “ShroudedSnooper.”
The researchers also discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex XDR security products.
“We assess with high confidence that both implants belong to a new intrusion set we’re calling “ShroudedSnooper.”” reads the analysis published by Cisco Talos. Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.”
The HTTPSnoop backdoor uses low-level Windows APIs to interact directly with the HTTP device on the system. The malicious code listens for incoming requests that match specific HTTP(S) URL patterns. These requests are picked up by the backdoor that decodes the data accompanying the HTTP request to extract the shellcode and executes it on the infected endpoint.
The researchers discovered three variants of the HTTPSnoop implant, which uses the same code, but listens to the requests using different URL patterns.
The DLL-based variants of HTTPSnoop observed by the researchers use DLL hijacking in benign applications and services to be executed on the infected system. The researchers observed three HTTPSnoop variants, the last one in order of time used a killswitch URL.
The PipeSnoop implant analyzed by Talos was created in May 2023, it is a simple backdoor that can run arbitrary shellcode payloads on the infected endpoint by reading from an IPC pipe.
“The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers. PipeSnoop, however, as the name may imply, reads and writes to and from a Windows IPC pipe for its input/output (I/O) capabilities This suggests the implant is likely designed to function further within a compromised enterprise–instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority.” continues the report.
PipeSnoop likely works with an auxiliary component that serves the shellcode via the named pipe.
The researchers published Indicators of Compromise (IocS) associated with this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ShroudedSnooper)
