A new and potentially dangerous threat actor has recently targeted two Middle East-based telecommunications organizations, compromising their systems and stealing sensitive data. The intrusion, named “ShroudedSnooper” by cybersecurity firm Cisco Talos, utilized two previously unseen backdoors called “HTTPSnoop” and “PipeSnoop” to infiltrate the networks without detection.
The attackers behind ShroudedSnooper have gone to great lengths to ensure their activities remain undetected. Both backdoors employ extensive anti-detection mechanisms, such as masquerading as popular software products and infecting low-level components of Windows servers. This allows them to hide in plain sight and makes it incredibly difficult to distinguish their malicious behavior from legitimate operations.
The first backdoor, HTTPSnoop, takes a stealthier approach compared to traditional methods of compromising Windows servers. Instead of dropping a web shell directly on the targeted system, it uses low-level Windows APIs to interface directly with the HTTP server. By using kernel-level access, HTTPSnoop binds itself to specific HTTP(S) URL patterns and listens for incoming requests. When an incoming request matches a specific pattern, it decodes the data in the request and executes the malicious shellcode.
What makes HTTPSnoop even more challenging to detect is that the URL patterns it targets often appear to be related to popular software products, such as Microsoft Outlook webmail. This makes it difficult for analysts to identify the malicious activity unless they are specifically looking for it.
In May, the attackers behind ShroudedSnooper developed an upgraded version of HTTPSnoop called PipeSnoop. This new variant reads from and writes to a preexisting pipe, a section of shared memory used for inter-process communication. Like its predecessor, PipeSnoop disguises itself as a legitimate application, this time mimicking Palo Alto Networks’ Cortex XDR application. This further increases the difficulty of identifying and removing these backdoors from affected systems.
The sophisticated nature of ShroudedSnooper poses significant challenges for the telecom organizations targeted. Detecting and eliminating these backdoors is not a simple task, especially on live production systems. Forensic work is required to analyze registered URLs within web servers, examine callbacks, and identify associated DLLs. Given the complexity of these activities, prevention becomes crucial in mitigating the risks posed by ShroudedSnooper.
To prevent such attacks, companies should focus on implementing effective prevention measures rather than solely relying on post-intrusion detection and removal. High-privilege tools should be utilized to identify and block the initial steps taken by the attackers before the malware is implanted. By doing so, organizations can significantly reduce the likelihood of falling victim to these stealthy backdoors.
The emergence of ShroudedSnooper highlights the evolving and sophisticated tactics employed by threat actors in today’s cybersecurity landscape. It serves as a reminder that organizations must remain vigilant and proactive in their security measures to stay one step ahead of cyber threats. Additionally, collaborations between cybersecurity researchers and organizations are crucial to sharing information and developing effective countermeasures against emerging threats like ShroudedSnooper.