A potentially novel threat actor recently compromised two
Middle East-based telecommunications organizations, using two backdoors with previously unseen methods for stealthily loading malicious shellcode onto a target system.
In a report shared with Dark Reading, Cisco Talos named the intrusion set "ShroudedSnooper," as it could not correlate the activity with any previously identified groups.
ShroudedSnooper employs two backdoors — "HTTPSnoop" and "PipeSnoop" — with extensive anti-detection mechanisms, including masquerading as popular software products and infecting low-level components of Windows servers. Once implanted, they execute shellcode to give cyberattackers a persistent foothold on the victims' networks, with the ability to
move laterally, exfiltrate data, or drop additional malware.
"I have to say: these are extremely stealthy," says Vitor Ventura, lead security researcher with Cisco Talos. "They will hide in plain sight. And it's incredibly hard to distinguish their bad behavior from good. It's pretty clever."
It's unclear how ShroudedSnooper intrusions are achieved, though researchers guess that the attackers likely exploit vulnerable, Internet-facing servers before using HTTPSnoop — packaged either as a dynamic-link library or an executable file — to cement initial access.
Instead of taking the conventional route of
dropping a Web shell on a targeted Windows server, HTTPSnoop takes a stealthier, more circuitous approach, using low-level
Windows APIs to interface directly with the HTTP server in a targeted system.
Like a parasite, it uses kernel-level access to bind itself to specific HTTP(S) URL patterns, then listens for incoming requests. If the incoming HTTP request meets a specific pattern, it decodes the data in the request.
blog.talosintelligence.com
