ShroudedSnooper hits Middle Eastern telcos.

Cisco Talos describes a new intrusion set dubbed “ShroudedSnooper” that’s targeting telecommunications providers in the Middle East. The threat actor is using two implants Cisco Talos calls “HTTPSnoop” and “PipeSnoop.” Talos states, “Based on the HTTP URL patterns used in the implants, such as those mimicking Microsoft’s Exchange Web Services (EWS) platform, we assess that this threat actor likely exploits internet-facing servers and deploys HTTPSnoop to gain initial access.”

ShroudedSnooper is both novel and simple.

The researchers add, “HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint.” There's no attribution, yet, and Talos says that the group's tactics, techniques, and procedures don't match any known groups, and so they're tracking the activity as representing something new. The report notes, however, that state-sponsored groups, particularly groups operating on behalf of Iran and China, have recently shown a strong preference for attacking telecommunication providers, especially providers in the Middle East and Asia.

The newer Trojans are more sophisticated and evasive than their predecessors.

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, commented on the importance of self-awareness in detecting novel threats. “These are relatively sophisticated trojans,” he wrote. “Still, they can be detected if the defender is monitoring their systems for new, unauthorized executions. Servers shouldn't have a lot of new, unexpected executions happening all the time. So, the defender can make an inventory of what is supposed to be running on a particular server and alert when something new and unexpected shows up.”