State-sponsored actors and highly skilled adversaries have frequently targeted telecommunications businesses worldwide in recent years.
Background:
The great majority of critical infrastructure assets are often under the control of telecommunications firms, making them high-value targets for adversaries seeking to have a significant impact. These organizations frequently serve as the framework of national telephone, internet, and satellite networks, which are the foundation of most private and public services. Telecommunications firms can also act as a point of access for adversaries to other businesses, customers, or third-party suppliers.
A new malware family “HTTPSnoop” was just found by Cisco Talos being used against Middle Eastern telecom providers. The Cortex XDR application from Palo Alto Networks and the Exchange Web Services (EWS) platform from Microsoft are two examples of malware that pose legitimate security software components, making it challenging for defenders to identify them. The research was published on Tuesday by cybersecurity experts at Cisco Talos.
ShroudedSnooper Threat Group:
There is no known group that matches this particular cluster of implants involving HTTPSnoop, PipeSnoop, and related tactics, methods, and procedures (TTPs). With high confidence, Talos determined that both implants are a part of the new intrusion set they’ve named “ShroudedSnooper.” Researchers determine that this threat actor most likely targets internet-facing servers and installs HTTPSnoop to gain initial access based on the HTTP URL patterns used in the implants, such as those impersonating Microsoft’s Exchange Web Services (EWS) infrastructure.
Researchers found HTTPSnoop and PipeSnoop disguising themselves as parts of Palo Alto Networks’ Cortex XDR software. “CyveraConsole.exe,” the application that houses the Cortex XDR agent for Windows, is the name of the malware executable. The variations of HTTPSnoop and PipeSnoop that they found both had altered compile timestamps yet pretended to be XDR agents from version 7.8.0.64264. Released on August 7, 2022, Cortex XDR v7.8 was discontinued on April 24, 2023.
HTTPSnoop Malware:
A new backdoor called HTTPSnoop employs low-level Windows APIs to communicate with the system’s HTTP device in a straightforward yet efficient manner. It makes use of this ability to bind to particular HTTP(S) URL patterns at the endpoint in order to have the endpoint listen for incoming requests. The implant will detect any incoming requests for the predefined URLs and will then begin to decode any associated data. In reality, the decoded HTTP data is shellcode, which the compromised endpoint subsequently executes.
The only significant difference across samples of HTTPSnoop is the URL patterns that it listens for. HTTPSnoop has the same code across all observed variants.
Some of the HTTPSnoop implants make use of HTTP URLs that pretend to be those of OfficeTrack, a program created by the software firm OfficeCore that aids users in managing various administrative chores. Researchers frequently observe URLs with the letters “lbs” and “LbsAdmin,” which correspond to the application’s previous name (OfficeCore’s LBS System) before it was renamed OfficeTrack. Currently, OfficeTrack is promoted as a workforce management tool that covers logistics, order orchestration, and equipment control.
Variants:
To activate on the compromised system, the DLL-based variations of HTTPSnoop typically rely on DLL hijacking in legitimate programs and services. On April 17, 2023, the attackers created the first iteration of the implant, which could bind to particular HTTP URLs on the endpoint and listen for incoming shellcode payloads that were subsequently executed on the compromised endpoint. These HTTP URLs are similar to those of the Exchange Web Services (EWS) API from Microsoft, which lets programs access mailbox items.
The initial version of HTTPSnoop from April 17 is virtually identical to a second edition generated on April 19, 2023. The sole distinction between the two is that the second variation is set up to just listen on Ports 80 and 443, suggesting that the attackers may have meant to target a different non-EWS internet-exposed web server.
A killswitch URL and one more URL that the implant listens to make up the third variation that the attackers created. 29 April 2023 was the creation date of this implant. In order to decrease the chance of discovery, this version of the implant probably made an effort to listen to fewer URLs.
PipeSnoop Malware:
The PipeSnoop implant, developed in May 2023, is a straightforward implant that can read from an IPC pipe to execute arbitrary shellcode payloads on the infected endpoint. Despite having a semantically similar name, the PipeSnoop implant is not an improvement to HTTPSnoop. Both implants are probably made to function in various situations. It is likely that HTTPSnoop was created to function on internet-exposed web and EWS servers based on the HTTP URLs it uses and the binding to the built-in Windows web server. However, as its name might imply, PipeSnoop’s input/output (I/O) capabilities rely on reading and writing to and from a Windows IPC pipe.
IOCs:
c5b4542d61af74cf7454d7f1c8d96218d709de38f94ccfa7c16b15f726dc08c0
04cf425e57e7d511f03189749c8c0a95483eeeb4c423e9ee1a6a766d2fe0094c
3875ed58c0d42e05c83843b32ed33d6ba5e94e18ffe8fb1bf34fd7dedf3f82a7
7495c1ea421063845eb8f4599a1c17c105f700ca0671ca874c5aa5aef3764c1c
1146b1f38e420936b7c5f6b22212f3aa93515f3738c861f499ed1047865549cb
9117bd328e37be121fb497596a2d0619a0eaca44752a1854523b8af46a5b0ceb
e1ad173e49eee1194f2a55afa681cef7c3b8f6c26572f474dec7a42e9f0cdc9d
http://+:80/Temporary_Listen_Addresses/
https://+:443/Temporary_Listen_Addresses/
https://+:443/autodiscover/autodiscovers/
https://+:444/autodiscover/autodiscovers/
https://+:444/ews/exchange/
https://+:443/ews/exchange/
https://+:443/autodiscover/autodiscover /
https://+:444/autodiscover/autodiscover /
https://+:444/ews/exchanges/
https://+:443/ews/exchanges/
https://+:444/ews/exchange /
https://+:443/ews/exchange /
https://+:443/ews/ /
https://+:444/ews/ /
https://+:444/ews/ews/
https://+:443/ews/ews/
https://+:443/ews/autodiscovers/
https://+:444/ews/autodiscovers/
https://+:443/autodiscover/autodiscoverrs/
https://+:444/autodiscover/autodiscoverrs/
https://+:443/autodiscover/course/
https://+:443/autodiscover/because/
https://+:443/autodiscover/oppose/
https://+:443/autodiscover/citizen/
https://+:443/autodiscover/surprise/
https://+:443/autodiscover/make/
https://+:443/autodiscover/tiger/
https://+:443/autodiscover/verb/
https://+:443/autodiscover/palace/
https://+:443/autodiscover/congress/
https://+:443/autodiscover/expire/
https://+:443/autodiscover/this/
https://+:443/ews/often/
https://+:443/ews/evoke/
https://+:443/ews/pitch/
https://+:443/ews/sense/
https://+:443/ews/six/
https://+:443/ews/tower/
https://+:443/ews/feature/
https://+:443/ews/trip/
https://+:443/ews/jazz/
https://+:443/ews/second/
https://+:443/ews/question/
https://+:443/ews/powder/
https://+:444/autodiscover/verb/
https://+:444/autodiscover/palace/
https://+:444/autodiscover/congress/
https://+:444/autodiscover/expire/
https://+:444/autodiscover/this/
https://+:444/ews/feature/
https://+:444/ews/trip/
https://+:444/ews/jazz/
https://+:444/ews/second/
https://+:444/ews/question/
https://+:444/ews/powder/
https://+:444/ews/test/
http://*:80/eye/
http://*:80/delay/
http://*:80/hill/
http://*:80/uncle/
http://*:80/ofasdaqgrumm/
http://*:80/utkvvxwkwgseowps/
http://*:80/xewnsfqdcxmhwb/
http://*:80/vzixmvmvbvrzhoo/
https://*:443/eye/
https://*:443/delay/
https://*:443/hill/
https://*:443/uncle/
https://*:443/ofasdaqgrumm/
https://*:443/utkvvxwkwgseowps/
https://*:443/xewnsfqdcxmhwb/
https://*:443/vzixmvmvbvrzhoo/
http://+:80/test_srv/
https://+:443/test_srv/