Middle East telcos targeted by new malware with suspected nation-state backing

Telecommunications providers across the Middle East are being targeted with a new malware family that researchers are calling “HTTPSnoop.”

Cybersecurity experts at Cisco Talos published research on Tuesday about two pieces of malware that are masquerading as legitimate security software components, including Palo Alto Networks’ Cortex XDR application and Microsoft’s Exchange Web Services (EWS) platform – making detection difficult for defenders.

“At this point, this activity can not be tied to any known groups’ TTPs. This implies we are either dealing with a new actor group or potentially new activity with divergent TTPs of an existing group,” the researchers told Recorded Future News, referring to tactics, techniques and procedures.

Cisco Talos suspects the operation is state-sponsored, but the researchers did not speculate on the origin.

“Telecommunication companies have a huge amount of visibility into national and global internet traffic and are of high value, especially for state sponsored groups,” the researchers said.

HTTPSnoop was seen deployed alongside another piece of malware — labeled PipeSnoop — that the researchers said made up an intrusion set they’re calling ShroudedSnooper.

The researchers explained that the intrusion tools stood out because they offer a “huge degree of sophistication and stealth in their operations.” HTTPSnoop is a backdoor that enables actors to listen to incoming requests for specific URLs and execute that content on the infected machine.

They are likely taking advantage of internet-facing servers during attacks. HTTPSnoop allows hackers to essentially piggyback on already existent web servers, the researchers said, by using a novel technique of making internet traffic appear to belong to legitimate applications such as Microsoft EWS.

They added that the blatant attempts by hackers to masquerade the malware as components of security software such as XDR indicates that the threat actors behind these operations were “significantly confident of evading specific security solutions in victim environments.”

In the report, Cisco Talos explained that the campaign is part of a trend researchers have seen over the last few years involving explicitly targeting telecoms. The sector was the most consistently targeted vertical Cisco Talos tracked in 2022.

Several nation-states have been implicated in attacks targeting telecommunications firms now that many serve as the backbone of critical infrastructure for many countries.