New HTTPSnoop and PipeSnoop Malware Compromise Telecom Providers

In a concerning development, a newly discovered malware duo, HTTPSnoop and PipeSnoop, has emerged as a significant threat to telecommunication service providers operating in the Middle East.

These malicious tools enable threat actors to gain remote control over infected devices, potentially leading to significant security breaches.

HTTPSnoop, one of the malware components, interacts with Windows HTTP kernel drivers and devices to carry out specific commands based on HTTP(S) URLs. On the other hand, PipeSnoop accepts and executes arbitrary shellcode via named pipes.

Both these malware strains are linked to a larger intrusion set known as ‘ShroudedSnooper,’ although they serve different purposes in terms of the extent of infiltration.

To elude detection, both HTTPSnoop and PipeSnoop masquerade as security elements of the Palo Alto Networks Cortex XDR product. Let’s delve into the functionality of each of these malware components.

HTTPSnoop operates by utilizing low-level Windows APIs to monitor HTTP(S) traffic on an infected device for specific URLs. Once identified, the malware decodes incoming base64-encoded data from these URLs and executes it as shellcode on the compromised device.

This implant, initiated through DLL hijacking, comprises two core elements: the stage 2 shellcode, responsible for establishing a backdoor web server via kernel calls, and its configuration.

HTTPSnoop establishes a listening loop, patiently waiting for incoming HTTP requests. When valid data is received, it processes it accordingly; otherwise, it issues an HTTP 302 redirect. The received shellcode is decrypted and executed, with the results then sent back to the attackers as base64-encoded XOR-encoded blobs. Furthermore, the implant ensures that there are no URL conflicts with previously configured URLs on the server.

Interestingly, there is identified three different variants of HTTPSnoop, each characterized by unique URL listening patterns. The first variant targets generic HTTP URL-based requests, the second focuses on URLs resembling Microsoft Exchange Web Service, and the third emulates URLs associated with OfficeCore’s LBS/OfficeTrack and telephony applications.

These variants were discovered between April 17 and April 29, 2023, with the most recent variant deliberately limiting the number of monitored URLs for enhanced stealth.

In a separate discovery, Cisco came across the PipeSnoop implant in May 2023, which serves as a backdoor facilitating the execution of shellcode payloads on compromised endpoints through Windows IPC (Inter-Process Communication) pipes.

Notably, unlike HTTPSnoop, PipeSnoop is better suited for operations deep within compromised networks. It should be noted that PipeSnoop requires an external component to supply the shellcode; however, this component remains unidentified by Cisco’s analysts.

Telecommunication service providers are often prime targets for state-sponsored threat actors due to their integral role in managing critical infrastructure and transmitting highly sensitive data across networks.

The recent surge in state-sponsored attacks against these entities underscores the pressing need for fortified security measures and international collaboration to shield them from increasingly sophisticated cyber threats.