Cisco Talos has identified HTTPSnoop, a new backdoor used against Middle East telecommunications providers, with a sister implant named PipeSnoop. Both implants masquerade as Cortex XDR components and abuse Windows kernel HTTP interfaces and named pipes to receive and execute shellcode on infected endpoints. #HTTPSnoop #PipeSnoop #ShroudedSnooper #CortexXDR #OfficeTrack #OfficeCore
Keypoints
- Cisco Talos uncovered HTTPSnoop and its companion PipeSnoop targeting telecommunications providers in the Middle East.
- HTTPSnoop binds to specific HTTP(S) URL patterns via Windows http.sys to listen for and execute decoded shellcode from incoming requests.
- PipeSnoop accepts arbitrary shellcode from a named pipe and executes it on the infected endpoint, acting as a companion component.
- Both implants masquerade as Cortex XDR security components (CyveraConsole.exe) with tampered compile times to evade detection.
- The activity is attributed to a new intrusion set, “ShroudedSnooper,” likely gaining initial access through internet-facing servers using EWS-like URL patterns.
- Telecommunications targets have been a long-running trend, with multiple past campaigns by diverse APT groups against the sector.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Initial access via internet-facing servers; “likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.” [‘likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.’]
- [T1071.001] Web Protocols – Uses HTTP(S) to receive and execute payloads by listening for specific URL patterns; “listen for incoming requests for the specified URLs and execute that content on the infected endpoint.” [‘listen for incoming requests for the specified URLs and execute that content on the infected endpoint.’]
- [T1106] Native API – Interacts with Windows kernel HTTP driver via native APIs (e.g., http.sys!UlCreateServerSession) to set up and manage the backdoor server; “bind to specific HTTP URL patterns to the endpoint … http.sys!UlCreateServerSession” [‘bind to specific HTTP URLs to the endpoint … http.sys!UlCreateServerSession.’]
- [T1574.001] DLL Hijacking – DLL-based HTTPSnoop/PipeSnoop variants rely on DLL hijacking in benign apps to get activated; “DLL hijacking in benign applications and services to get activated on the infected system.” [‘DLL hijacking in benign applications and services to get activated on the infected system.’]
- [T1036] Masquerading – Malware masquerades as Cortex XDR components; “CyveraConsole.exe” mimics Cortex XDR agent; compile-time tampering observed; “masqueraded as XDR agent from version 7.8.0.64264.” [‘masqueraded as XDR agent from version 7.8.0.64264.’]
- [T1027] Data Encoding – Stage 2 shellcode and configuration are XOR-encoded, with base64-encoded request bodies; “Stage 2 is a single-byte XOR’ed backdoor shellcode” and “base64-encoded request body.” [‘Stage 2 is a single-byte XOR’ed backdoor shellcode… base64-encoded request body.’]
- [T1105] Ingress Tool Transfer – PipeSnoop obtains payloads via a named pipe from a second component acting as server; “feeding the shellcode to PipeSnoop via the named pipe.” [‘feeding the shellcode to PipeSnoop via the named pipe.’]
Indicators of Compromise
- [File name] CyveraConsole.exe – Masquerading as Cortex XDR component; used as the malware executable.
- [URL] EWS-like and OfficeTrack/LBS-related HTTP URLs – Patterns mimicking Exchange Web Services and OfficeTrack/LBS endpoints. Example patterns include references to “ews” and “autodiscover” and “lbs”/”LbsAdmin” URLs.
- [Note] The activity involves Windows http.sys kernel interfaces and specific URL bindings, indicating a kernel-level web server listener.
Read more: https://blog.talosintelligence.com/introducing-shrouded-snooper/