Cisco Talos reveals ShroudedSnooper hackers use backdoors to target telecom firms in the Middle East

New data released by Cisco Talos identified that the researchers recently discovered a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, Cisco Talos researchers assess with high confidence that both implants belong to a new intrusion set that it is calling ‘ShroudedSnooper.’

“Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access,” the researchers detailed in a Tuesday blog post. “HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.” 

They additionally identified DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, specifically extended detection and response (XDR) agents, making them difficult to detect. “This activity is a continuation of a trend we have been monitoring over the last several years in which sophisticated actors are frequently targeting telecoms. This sector was consistently a top-targeted industry vertical in 2022, according to Cisco Talos Incident Response data,” the post added.

The post also identified that “the HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications company. This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings. Some of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications firm,” it added.

The Cisco Talos researchers have “observed HTTPSnoop listening for URL patterns that make it look like the infected system being contacted is a server hosting Microsoft’s Exchange Web Services (EWS) API. The URLs consisted of ‘ews’ and ‘autodiscover’ keywords over Ports 443 and 444.”

“Some of the HTTPSnoop implants use HTTP URLs that masquerade as those belonging to OfficeTrack, an application developed by software company OfficeCore that helps users manage different administrative tasks,” the post added. “In several instances, we see URLs ending in ‘lbs’ and ‘LbsAdmin,’ references to the application’s earlier name (OfficeCore’s LBS System) before it was later rebranded as OfficeTrack. OfficeTrack is currently marketed as a workforce management solution geared toward providing coverage for logistics, order orchestration, and equipment control. OfficeTrack is especially marketed towards telecommunication firms.”

The post also detailed that the researchers discovered both HTTPSnoop and PipeSnoop masquerading as components of Palo Alto Networks’ Cortex XDR application. “The malware executable is named ‘CyveraConsole[dot]exe,’ which is the application that contains the Cortex XDR agent for Windows. “The variants of both HTTPSnoop and PipeSnoop we discovered had their compile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264,” they added.

Additionally, the researchers said that Cortex XDR v7.8 was released on Aug. 7, 2022, and decommissioned on April 24, 2023. “Therefore, it is likely that the threat actors operated this cluster of implants during the aforementioned timeframe. For example, one of the ‘CyveraConsole[dot]exe’ implants was compiled on Nov. 16, 2022, falling approximately in the middle of this time window of the life of Cortex XDR v7.8.”

The researchers said that in recent years, there have been many instances of state-sponsored actors and sophisticated adversaries targeting telecommunications organizations around the world. “In 2022, this sector was consistently a top-targeted vertical in Talos IR engagements. Telecommunications companies typically control a vast number of critical infrastructure assets, making them high-priority targets for adversaries looking to cause significant impact. These entities often form the backbone of national satellite, internet, and telephone networks upon which most private and government services rely.” 

Furthermore, telecommunications companies can serve as a gateway for adversaries to access other businesses, subscribers, or third-party providers, they added.

They also identified that their IR findings are consistent with reports from other cybersecurity firms outlining various attack campaigns targeting telecommunications companies globally. “In 2021, CrowdStrike disclosed a years-long campaign by the LightBasin (UNC1945) advanced persistent threat (APT) targeting 13 telecommunications companies globally using Linux-based implants to maintain long-term access in compromised networks. That same year, McAfee discovered activity targeting telecommunication firms in Europe, the U.S., and Asia dubbed ‘Operation Diànxùn’ linked to the Chinese APT group MustangPanada (RedDelta). This campaign heavily relied on the PlugX malware implant.” 

Also in 2021, Recorded Future reported that four distinct Chinese state-sponsored APT groups were targeting the email servers of a telecommunications firm in Afghanistan, again using the PlugX implant. In March this year, SentinelLabs observed initial phases of attacks against telecommunication providers in the Middle East in the first quarter of this year. The team assesses that the activity represents an evolution of tooling associated with Operation Soft Cell, while it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41, the exact grouping, however, remained unclear at the time. 

Cisco Talos said that the targeting of telecommunications firms in middle-east Asia is also quite prevalent. “In January 2021, Clearsky disclosed the ‘Lebanese Cedar’ APT leveraging web shells and the ‘Explosive’ RAT malware family to target telecommunication firms in the U.S., U.K., and Middle-East Asia. In a separate campaign, Symantec noted the MuddyWater APT targeting telecommunication organizations in the Middle East, deploying web shells on Exchange Servers to instrument script-based malware and dual-use tools to carry out hands-on-keyboard activity,” it added.

In March this year, two vulnerabilities were identified by Cisco Talos researchers in WellinTech’s KingHistorian industrial control systems (ICS) data manager. Talos tested and confirmed that these versions of WellinTech KingHistorian could be exploited by the vulnerabilities.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.