Saturday , July 13 2024

Hackers to attack Telecoms Servers With HTTPSnoop Malware

The telecom industry emerged as a prime target for advanced adversaries and state-sponsored actors in 2022, resulting in a significant increase in Talos IR cases focused on this sector.

Telecommunications companies possessing crucial infrastructure assets are particularly attractive targets due to their pivotal role in national networks, making them potential gateways for adversaries.

CVE-2024-5910
Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Palo Alto Networks has issued a critical security advisory outlining numerous vulnerabilities across its product lines, such as PAN-OS, Cortex...
Read More
CVE-2024-5910  Critical Vulnerability Threatens Palo Alto Networks’ Expedition

Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

GitLab has issued a warning about a serious vulnerability in its GitLab Community and Enterprise editions. This vulnerability allows attackers...
Read More
Vulnerabilities in GitLab Allows Attackers to Execute Unauthorized Pipelines

Adobe Issues Critical Security Patches for Various Products

Adobe released security updates to fix several vulnerabilities in their software. These vulnerabilities could be used by cyber attackers to...
Read More
Adobe Issues Critical Security Patches for Various Products

CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

OS command injection vulnerabilities are a preventable type of weakness in software. Manufacturers can eliminate them by taking a secure...
Read More
CISA Warns Hacker Use OS Command Injection Vulnerabilities to Compromise Systems

Pakistan allows spy agency to intercept phone messages, calls

The Pakistan Ministry of Information Technology and Telecommunication has given permission to the Inter-Services Intelligence (ISI) to intercept citizens’ phone...
Read More
Pakistan allows spy agency to intercept phone messages, calls

Citrix Issues Critical Security Advisory for NetScaler

Citrix has warned users about severe vulnerabilities in their widely-used NetScaler products. These vulnerabilities, known as CVE-2024-6235 and CVE-2024-6236, could...
Read More
Citrix Issues Critical Security Advisory for NetScaler

(CVE-2024-38080, CVE-2024-38112)
Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

Microsoft's July 2024 Patch Tuesday includes security updates for 142 flaws, including two zero-days that are actively exploited and two...
Read More
(CVE-2024-38080, CVE-2024-38112)  Microsoft July Patch Tuesday fixes 142 flaws, 4 zero-days

EXCLUSIVE
Analysis of 3 Ransomware Threats Active Right Now

Three emerging threats will be discussed below, along with how sandbox analysis can be utilized to detect them proactively. Lockbit...
Read More
EXCLUSIVE  Analysis of 3 Ransomware Threats Active Right Now

AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Avast researchers found a security flaw in the DoNex ransomware and its previous versions, which allowed them to create a...
Read More
AVAST RELEASED DECRYPTOR FOR DONEX RANSOMWARE

Critical Security Advisory for Apache CloudStack

The Apache Software Foundation has warned about two serious security issues (CVE-2024-38346 and CVE-2024-39864) in Apache CloudStack, a popular open-source...
Read More
Critical Security Advisory for Apache CloudStack

ALSO READ:

Trend Micro Releases Urgent Fix for Critical Security Vulnerability

Researchers at Cisco Talos have discovered a new malware called “HTTPSnoop” that is specifically designed to target telecom companies in the Middle East. This malware uses innovative techniques to interact with Windows HTTP kernel drivers in order to execute content based on URLs.

The implant cluster, which consists of HTTPSnoop and PipeSnoop, exhibits unique Tactics, Techniques, and Procedures (TTPs). It is associated with a newly discovered intrusion set called “ShroudedSnooper” because its characteristics do not align with any known groups monitored by Talos.

Variants of HTTPSnoop

In total, the attackers built three variants of HTTPSnoop:-

Variant 1:
There are DLL-based HTTPSnoop variants that cleverly utilize DLL hijacking in harmless applications. The initial variant, born on April 17, 2023, expertly connects to HTTP URLs that bear a strikinThe EWS API in Microsoft has a strong resemblance. It allows shellcode to be executed without any issues.

Variant 2:
The second variant of HTTPSnoop, created on April 19, 2023, is similar to the original version but focuses on different HTTP URLs on Ports 80 and 443. This could be for a web server that is not associated with EWS.

Variant 3:
To minimize the risk of detection, they later developed a third variant on April 29, 2023, which included a killswitch URL and another listening URL. This strategic move aimed at confining the URLs to a more restricted range.

HTTPSnoop Malware Interface

HTTPSnoop and PipeSnoop were cleverly disguised as components of Palo Alto Networks’ Cortex XDR app. Their altered compile timestamps indicated that they were active during the v7.8 window, which spanned from August 2022 to April 2023.

HTTPSnoop is a basic but efficient backdoor that does the following things:-

Uses low-level Windows APIs to interact with HTTP devices
Listen for specific URL patterns
Executes decoded shellcode from incoming requests

The analyzed DLL consists of two crucial components, as mentioned below:

Encoded Stage 2 shellcode.
Encoded Stage 2 configuration.

Once the malicious DLL XOR is activated, it proceeds to decode and execute the Stage 2 configuration and shellcode.

PipeSnoop is an exclusive implant specifically crafted for diverse environments. It is commonly utilized in enterprise settings that possess IPC pipe I/O capabilities. With its creation dating back to May 2023, PipeSnoop stands out as a remarkable tool.

Check Also

open source software

CISA Plans to Measure Trust in Open-Source Software

The United States cyber defense agency is creating a new framework to answer a critical …

Leave a Reply

Your email address will not be published. Required fields are marked *