Middle East telecoms subjected to new ShroudedSnooper attack

Novel threat actor ShroudedSnooper has targeted Middle Eastern telecommunications firms in new attacks with the stealthy HTTPSnoop malware, reports The Hacker News. Various internet-exposed servers have likely been exploited by ShroudedSnooper to facilitate the deployment of HTTPSnoop, which employs new techniques to obtain HTTP(S) URL requests from Windows HTTP kernel drivers and devices, according to a Cisco Talos report. Such HTTP URL requests are then used by HTTPSnoop to enable the extraction of the to-be-executed shellcode. "The HTTP URLs used by HTTPSnoop along with the binding to the built-in Windows web server indicate that it was likely designed to work on internet-exposed web and EWS servers," researchers said. However, the operation's other implant, PipeSnoop, which also spoofs Palo Alto Networks' Cortex XDR application components like HTTPSnoop to evade detection, could only cover the Windows IPC pipe. "This suggests the implant is likely designed to function further within a compromised enterprise instead of public-facing servers like HTTPSnoop and probably is intended for use against endpoints the malware operators deem more valuable or high-priority," said researchers.