Telecom firms hit with novel backdoors disguised as security software

Researchers have unearthed new backdoors leveraged to maintain long-term access in the networks of telecom firms in the Middle East.

HTTPSnoop and PipeSnoop – as the two implants have been dubbed by Cisco Talos researchers – have been disguised as components of Palo Alto Networks’ Cortex XDR solution.

Two backdoor implants

“HTTPSnoop is a simple, yet effective, new backdoor that uses low-level Windows APIs to interact directly with the HTTP device on the system. It leverages this capability to bind to specific HTTP(S) URL patterns to the endpoint to listen for incoming requests,” the researchers explained.

“Any incoming requests for the specified URLs are picked up by the implant, which then proceeds to decode the data accompanying the HTTP request. The decoded HTTP data is, in fact, shellcode that is then executed on the infected endpoint.”

HTTPSnoop tries to keep a low profile by using URL patterns similar to those used by Microsoft’s Exchange Web Services (EWS) platform and OfficeCore’s OfficeTrack, a workforce management solution marketed to telecoms.

PipeSnoop, on the other hand, can run shellcode payloads on the infected endpoint by reading from a pre-existing named Windows IPC pipe.

“This suggests the implant is likely designed to function further within a compromised enterprise – instead of public-facing servers like HTTPSnoop – and probably is intended for use against endpoints the malware operators deem more valuable or high-priority,” the researchers posited.

Telecom sector under attack

Telecommunication firms are frequently under attack by a variety of threat actors, as they can serve as a conduit for attacks on individuals, businesses and governments.

“Telecoms own much of the infrastructure that other businesses use for their operations. Therefore, they have a great responsibility towards them,” Georgia Bafoutsou, Cybersecurity Officer at the European Union Agency for Cybersecurity (ENISA), recently told Help Net Security.

“The sector can also act as a shield for the other sectors, mitigating attacks before they reach other businesses.”

Cisco Talos researchers have not been able to connect these latest attacks with a known threat actor.

UPDATE (September 22, 2023, 06:05 a.m. ET):

SentinelLabs and QGroup GmbH have published a report on another threat actor that recently targeted telcos in the Middle East, Western Europe, and the South Asian subcontinent.

The threat actor uses a novel modular backdoor based on the LuaJIT platform. “LuaDream is a multi-component and multi-protocol backdoor, whose main features are managing attacker-provided plugins and exfiltrating system and user information,” they shared.