HTTPSnoop Malware

A wave of cyberattacks targeting telecommunication service providers in the Middle East has been linked to the deployment of new malware strains known as HTTPSnoop and PipeSnoop. These threatening tools enable threat actors to gain remote control over compromised devices.

The HTTPSnoop malware leverages Windows HTTP kernel drivers and devices to execute specific content on infected endpoints via HTTP(S) URLs. On the other hand, PipeSnoop is designed to receive and execute arbitrary shellcodes through a named pipe.

As per a report issued by cybersecurity researchers who successfully uncovered this attack campaign, both HTTPSnoop and PipeSnoop are attributed to the same intrusion group, identified as 'ShroudedSnooper.' However, the two threats serve distinct operational purposes in terms of their level of infiltration.

The HTTPSnoop Malware Performs Specialized Actions for the Attackers

HTTPSnoop employs low-level Windows APIs to monitor HTTP(S) traffic on an infected device, specifically targeting predefined URLs. Upon detecting these URLs, the malware proceeds to decode incoming base64-encoded data from them and execute it as a shellcode on the compromised host.

This unsafe implant, activated on the target system via DLL hijacking, comprises two key components: first, the stage 2 shellcode, responsible for setting up a backdoor Web server through kernel calls, and second, its configuration.

HTTPSnoop establishes a listening loop, patiently awaiting incoming HTTP requests, and efficiently processes valid data upon their arrival. In cases where incoming data isn't valid, the malware returns an HTTP 302 redirect.

Upon decryption of the received shellcode, it is promptly executed, and the execution results are transmitted back to the attackers in the form of base64-encoded XOR-encoded data blocks.

Additionally, this implant takes precautions to avoid conflicts with previously configured URLs on the server, ensuring smooth operation without inadvertent clashes.

Experts Have Uncovered Several HTTPSnoop Malware Variants

There are three distinct variants of HTTPSnoop observed so far with each employing unique URL listening patterns. The first variant monitors general HTTP URL-based requests, while the second variant focuses on URLs that mimic Microsoft Exchange Web Service. The third variant, meanwhile, targets URLs that emulate OfficeCore's LBS/OfficeTrack and telephony applications.

These variants were discovered in April 2023, and notably, the most recent one has a reduced number of URLs it monitors, likely to enhance its stealth capabilities.

By imitating legitimate URL patterns associated with Microsoft Exchange Web Services and OfficeTrack, these fraudulent requests closely resemble benign traffic, making it exceedingly challenging to distinguish them from legitimate requests.

The ever-evolving landscape of malware poses a formidable and persistent threat in our digital age. Malware is not merely a nuisance but a formidable adversary capable of wreaking havoc on individuals, organizations, and even nations. Vigilance, education, and robust cybersecurity measures are our best defenses against this relentless menace. Staying informed and adopting best practices in online security is not just a choice; it's a necessity in safeguarding our digital lives and preserving the integrity of our interconnected world.