Insights, news, education and announcements from PolySwarm

ShroudedSnooper Targeting Telecommunications in the Middle East

Written by The Hivemind | Sep 29, 2023 5:35:33 PM

Related Families: HTTPSnoop, PipeSnoop
Verticals Targeted: Telecommunications 

Executive Summary

ShroudedSnooper used the novel implants HTTPSnoop and PipeSnoop to target telecommunications entities in the Middle East.

Key Takeaways

  • ShroudedSnooper used the novel implants HTTPSnoop and PipeSnoop to target telecommunications entities in the Middle East.
  • HTTPSnoop is a simple and effective backdoor that uses novel techniques to interface with Windows HTTP Kernel drivers and devices.
  • PipeSnoop is a sister implant that is capable of accepting arbitrary shellcode from a named pipe and executing it on the victim device.
  • Cisco Talos discovered both DLL and EXE-based versions of the implants, masquerading as legitimate security software components.
  • Cisco Talos noted the activity did not appear to align with the TTPs of a known threat actor group and named the new intrusion set ShroudedSnooper. 

The Campaign

Cisco Talos recently reported on activity targeting telecommunications entities in the Middle East from 2022 to at least mid-2023. Cisco Talos noted the activity did not appear to align with the TTPs of a known threat actor group and named the new intrusion set ShroudedSnooper.

Since 2022, telecommunications has been one of the top targeted verticals, as observed by Cisco Talos. They noted the vertical consists of high-value targets due to both private and government entities relying on telecommunications as a type of critical infrastructure for communications and business operations. Once compromised, these entities can also serve as a gateway to access other third-party entities.

In the campaign, the threat actors used novel implants, dubbed HTTPSnoop and PipeSnoop. Cisco Talos discovered both DLL and EXE-based versions of the implants, masquerading as legitimate security software components, such as XDR agents. This makes the malware more difficult to detect.  Based on the HTTP URL patterns used by the implants, Cisco Talos noted the threat actors likely gained initial access to victim machines by exploiting internet-facing servers and deploying HTTPSnoop.

HTTPSnoop

According to Cisco Talos, HTTPSnoop is a simple and effective backdoor that uses novel techniques to interface with Windows HTTP kernel drivers and devices. It listens to incoming requests for specific HTTP(S) URLs and executes that content on the victim's device. It is a standalone implant.

All reported variants of HTTPSnoop were similar, with the only difference being which URL patterns are listened for. One variation listens for generic HTTP URLs, as specified by the implant. A second listens for URLs that mimic the Microsoft EWS API. A third variation listens for URLs mimicking OfficeCore’s LBS/OfficeTrack and telephony applications. The DLL-based HTTPSnoop variants rely on DLL hijacking to activate on the victim machine.

PipeSnoop

PipeSnoop is a sister implant, which is capable of accepting arbitrary shellcode from a named pipe and executing it on the victim machine. It was created in May 2023. PipeSnoop differs from HTTPSnoop in that it does not rely on initiating and listening for incoming connections via the HTTP server. It instead connects to a pre-named pipe that has already been created. This means it is not a standalone implant like HTTPSnoop. PipeSnoop requires a second component to act as a server to obtain the arbitrary shellcode and feed it to PipeSnoop via the named pipe. 

IOCs

PolySwarm has multiple samples associated with this activity.

 

1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb

9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -t ShroudedSnooper