HQ/EMEAFind out how we can help your business
The mysterious ShroudedSnooper cybercriminal operation has recently targeted two Middle Eastern telecommunications organisations using a new breed of stealthy backdoors that baffles cybersecurity experts.
Researchers have given the name ‘ShroudedSnooper’ to this campaign since they could not yet link any known threat groups to this campaign, and it uses several unique threat clusters.
ShroudedSnooper has a couple of backdoors used for its attacks.
The ShroudedSnooper cybercriminal possesses two malicious backdoors called “HTTPSnoop” and “PipeSnoop.” These backdoors both have exceptional anti-detection mechanisms and could obfuscate themselves by impersonating popular software products and breaching the deepest layers of Windows servers.
The operation deploys these malicious shellcodes, which could then enable its operators to establish persistence within victim networks upon successful intrusion.
Next, this access allows the attackers to navigate the systems, harvest information, and launch additional malware strains while running discreetly on the target. These backdoors have displayed a very sophisticated ability to become invisible, making it hard for threat analysts to distinguish their malicious activities from legitimate ones.
In addition, one of the more hostile weapons within ShroudedSnooper’s arsenal is HTTPSnoop. This backdoor could employ a unique approach to bypass security detection. Unlike traditional web shells, HTTPSnoop avoids the usual routes, interfacing directly with the HTTP server using low-level Windows APIs.
This tactic grants the backdoor kernel-level access, allowing it to bind to specific HTTP(S) URL patterns. Subsequently, it could eavesdrop on incoming requests, decoding data if it corresponds to predefined criteria.
This exploit to the Windows Web server features is a new tactic that makes it challenging for even veteran analysts to identify since the URL patterns often pose as standard software products, such as Outlook webmail.
The attackers cleverly concealed both backdoors within executable files that impersonate Palo Alto Networks’ Cortex XDR application, adding another layer of complexity to detection efforts.
Introducing these two new backdoors from the ShroudedSnooper poses a significant threat to these telecom firms. Therefore, cybersecurity defences should also upgrade their capabilities to match the growth of these attack capabilities and malicious tools. Finally, organisations, not just from the Middle East, should take note of this threat since they could expand their attack scope in the future and compromise various industries.
