Carding
Professional
- Messages
- 2,870
- Reaction score
- 2,495
- Points
- 113
Hackers spy on the Middle East, disguising themselves as a means of protection.
Two new types of malware, HTTPSnoop and PipeSnoop, were used in cyber attacks on telecommunications companies in the Middle East. According to a report from Cisco Talos, the malware belongs to the same threat actor, named ShroudedSnooper, and serves different operational purposes.
Both types of malware are disguised as security components of the Palo Alto Networks Cortex XDR product to evade detection. It is unclear exactly how ShroudedSnooper performs the hack, but researchers suggest that hackers exploit vulnerable servers accessible over the Internet before using HTTPSnoop to establish initial access.
HTTPSnoop: Monitoring and executing code
HTTPSnoop uses low-level Windows APIs to communicate directly with the HTTP server on the target system. The malware binds to specific URL templates and listens for incoming requests. If the request matches a specific pattern, it decodes the data in the request and executes it as shellcode on the compromised host
The implant is activated on the target system via DLL hijacking and consists of two components: the second stage of the shellcode, which configures the web server with a backdoor via kernel system calls, and its configuration. Cisco noticed three HTTPSnoop variants, each of which uses different URL listening patterns.
PipeSnoop: Deep Network Penetration
PipeSnoop acts as a backdoor that executes shellcode on compromised devices through the Windows inter-process communication (IPC) mechanism. At the same time, PipeSnoop is used more for operations in the depths of compromised networks, which malware operators consider more valuable or priority.
Telecommunications providers are often targeted by government hackers because of their key role in operating critical infrastructure and handling sensitive information. The latest surge in such attacks on telecommunications entities underscores the urgent need to strengthen security measures and international cooperation to protect them.
Two new types of malware, HTTPSnoop and PipeSnoop, were used in cyber attacks on telecommunications companies in the Middle East. According to a report from Cisco Talos, the malware belongs to the same threat actor, named ShroudedSnooper, and serves different operational purposes.
Both types of malware are disguised as security components of the Palo Alto Networks Cortex XDR product to evade detection. It is unclear exactly how ShroudedSnooper performs the hack, but researchers suggest that hackers exploit vulnerable servers accessible over the Internet before using HTTPSnoop to establish initial access.
HTTPSnoop: Monitoring and executing code
HTTPSnoop uses low-level Windows APIs to communicate directly with the HTTP server on the target system. The malware binds to specific URL templates and listens for incoming requests. If the request matches a specific pattern, it decodes the data in the request and executes it as shellcode on the compromised host
The implant is activated on the target system via DLL hijacking and consists of two components: the second stage of the shellcode, which configures the web server with a backdoor via kernel system calls, and its configuration. Cisco noticed three HTTPSnoop variants, each of which uses different URL listening patterns.
PipeSnoop: Deep Network Penetration
PipeSnoop acts as a backdoor that executes shellcode on compromised devices through the Windows inter-process communication (IPC) mechanism. At the same time, PipeSnoop is used more for operations in the depths of compromised networks, which malware operators consider more valuable or priority.
Telecommunications providers are often targeted by government hackers because of their key role in operating critical infrastructure and handling sensitive information. The latest surge in such attacks on telecommunications entities underscores the urgent need to strengthen security measures and international cooperation to protect them.
