New HTTPSnoop malware attacks telecom providers

Recently, a group of state-sponsored cyber threats targeted telecommunications service providers in the Middle East. During the attacks, two new types of malware were employed: HTTPSnoop and PipeSnoop. These allow cybercriminals to execute remote commands on infected devices.

HTTPSnoop: Malware that interacts with Windows drivers

HTTPSnoop, leveraging kernel drivers and Windows HTTP devices, is able to execute specific content on infected devices, based on HTTP(S) URLs. This malicious program, similar to a security component of the Palo Alto Networks Cortex XDR product, is used to evade detection systems.

How HTTPSnoop works and what are its variants

HTTPSnoop decodes base64 encoded data from servers with specific URLs detected when monitoring HTTP(S) traffic on an infected device. This data is executed as shellcode on the compromised host. Furthermore, HTTPSnoop ensures that there are no collisions of URLs already configured on the server. Cisco has identified three variants of HTTPSnoop, each with different URL listening patterns.

PipeSnoop: Execute shell code through Windows pipes

Pipesnoop acts as a backdoor that executes shellcode payloads on compromised devices via Windows IPC pipes. Unlike HTTPSnoop, which appears to be aimed at public servers, Pipesnoop is better suited for operations within compromised networks. Despite this, Cisco analysts are still unable to identify the component that provides the shell code needed for Pipesnoop.