'ShroudedSnooper' Backdoors Use Ultra-Stealth in Mideast Telecom Attacks

A potentially novel threat actor recently compromised two Middle East-based telecommunications organizations, using two backdoors with previously unseen methods for stealthily loading malicious shellcode onto a target system.

In a report shared with Dark Reading, Cisco Talos named the intrusion set "ShroudedSnooper," as it could not correlate the activity with any previously identified groups.

ShroudedSnooper employs two backdoors — "HTTPSnoop" and "PipeSnoop" — with extensive anti-detection mechanisms, including masquerading as popular software products and infecting low-level components of Windows servers. Once implanted, they execute shellcode to give cyberattackers a persistent foothold on the victims' networks, with the ability to move laterally, exfiltrate data, or drop additional malware.

"I have to say: these are extremely stealthy," says Vitor Ventura, lead security researcher with Cisco Talos. "They will hide in plain sight. And it's incredibly hard to distinguish their bad behavior from good. It's pretty clever."

New Backdoor Threat: HTTPSnoop

It's unclear how ShroudedSnooper intrusions are achieved, though researchers guess that the attackers likely exploit vulnerable, Internet-facing servers before using HTTPSnoop — packaged either as a dynamic-link library or an executable file — to cement initial access.

Instead of taking the conventional route of dropping a Web shell on a targeted Windows server, HTTPSnoop takes a stealthier, more circuitous approach, using low-level Windows APIs to interface directly with the HTTP server in a targeted system.

Like a parasite, it uses kernel-level access to bind itself to specific HTTP(S) URL patterns, then listens for incoming requests. If the incoming HTTP request meets a specific pattern, it decodes the data in the request. 

"Basically what they're doing is that they are abusing a feature. That's how Windows Web servers work," Ventura says, before adding that "I have not seen this kind of abuse being done to build implants before."

To add to the stealth, the URL patterns in question often conform to popular, traditional software products. For example, Ventura says, "even if an analyst is looking at the URLs, it will seem like it's regular Outlook webmail. They will have to pay attention, unless they know exactly what they're looking for."

That data decoded from the HTTP requests will, naturally, be malicious shellcode, which then gets executed on the infected device.

The Difficulty in Stopping ShroudedSnooper

In May, the ShroudedSnoop attackers developed an upgrade to HTTPSnoop, "PipeSnoop." Like its brother, it aims to enable arbitrary shellcode to run on the target endpoint, but by reading from and writing to a preexisting pipe — a section of shared memory used for inter-process communication (IPC).

To further elude prying eyes, it should be noted, both Snoops come packaged in executable files mimicking Palo Alto Networks' Cortex XDR application.

That the already stealth-laden HTTPSnoop is being further upgraded only serves to demonstrate just how difficult it would be for telecoms to identify and excise these backdoors.

"Of course victims can search for it. They can check which URLs are registered within the Web server, and try to see which callbacks are being called, and which DLLs are associated with those callbacks. But then again, that's forensic work, which is not that easy to actually perform on live production systems," Ventura explains.

"So I'd say that prevention is a really, really key factor on this," he concludes. Rather than trying to defeat the backdoors themselves, "because there is a certain level of privilege that is needed to do this, companies could use the tools that they have in place to detect the previous steps before the malware being implanted, because they require high privileges."