ShroudedSnooper Backdoors Use Ultra-Stealth in Mideast Telecom Attacks

  /     /     /  
Publicated : 23/11/2024   Category : security


ShroudedSnooper Backdoors Use Ultra-Stealth in Mideast Telecom Attacks


The threat cluster hasnt been seen before, but its custom Windows server backdoors have researchers intrigued thanks to their extremely effective stealth mechanisms.



A potentially novel threat actor recently compromised two
Middle East-based telecommunications organizations
, using two backdoors with previously unseen methods for stealthily loading malicious shellcode onto a target system.
In a report shared with Dark Reading, Cisco Talos named the intrusion set ShroudedSnooper, as it could not correlate the activity with any previously identified groups.
ShroudedSnooper employs two backdoors — HTTPSnoop and PipeSnoop — with extensive anti-detection mechanisms, including masquerading as popular software products and infecting low-level components of Windows servers. Once implanted, they execute shellcode to give cyberattackers a persistent foothold on the victims networks, with the ability to
move laterally, exfiltrate data, or drop additional malware
.
I have to say: these are extremely stealthy, says Vitor Ventura, lead security researcher with Cisco Talos. They will hide in plain sight. And its incredibly hard to distinguish their bad behavior from good. Its pretty clever.
Its unclear how ShroudedSnooper intrusions are achieved, though researchers guess that the attackers likely exploit vulnerable, Internet-facing servers before using HTTPSnoop — packaged either as a dynamic-link library or an executable file — to cement initial access.
Instead of taking the conventional route of
dropping a Web shell
on a targeted Windows server, HTTPSnoop takes a stealthier, more circuitous approach, using low-level
Windows APIs
to interface directly with the HTTP server in a targeted system.
Like a parasite, it uses kernel-level access to bind itself to specific HTTP(S) URL patterns, then listens for incoming requests. If the incoming HTTP request meets a specific pattern, it decodes the data in the request. 
Basically what theyre doing is that they are abusing a feature. Thats how Windows Web servers work, Ventura says, before adding that I have not seen this kind of abuse being done to build implants before.
To add to the stealth, the URL patterns in question often conform to popular, traditional software products. For example, Ventura says, even if an analyst is looking at the URLs, it will seem like its
regular Outlook webmail.
They will have to pay attention, unless they know exactly what theyre looking for.
That data decoded from the HTTP requests will, naturally, be malicious shellcode, which then gets executed on the infected device.
In May, the ShroudedSnoop attackers developed an upgrade to HTTPSnoop, PipeSnoop. Like its brother, it aims to enable arbitrary shellcode to run on the target endpoint, but by reading from and writing to a preexisting pipe — a section of shared memory used for inter-process communication (IPC).
To further elude prying eyes, it should be noted, both Snoops come packaged in executable files mimicking
Palo Alto Networks Cortex XDR application
.
That the already stealth-laden HTTPSnoop is being further upgraded only serves to demonstrate just how difficult it would be for telecoms to identify and excise these backdoors.
Of course victims can search for it. They can check which URLs are registered within the Web server, and try to see which callbacks are being called, and which DLLs are associated with those callbacks. But then again, thats forensic work, which is not that easy to actually perform on live production systems, Ventura explains.
So Id say that prevention is a really, really key factor on this, he concludes. Rather than trying to defeat the backdoors themselves, because there is a certain level of privilege that is needed to do this, companies could use the tools that they have in place to detect the previous steps before the malware being implanted, because they require high privileges.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
ShroudedSnooper Backdoors Use Ultra-Stealth in Mideast Telecom Attacks