New server backdoors posing as security product target telecoms

Security researchers have uncovered a new set of backdoor programs that have been used to compromise systems belonging to telecommunications providers in the Middle East. The programs are not yet linked to any known cyberattack group, but multiple nation-state threat actors have targeted telecommunications companies in recent years because they operate valuable assets and can be used as gateways into other organizations.

The two backdoors dubbed HTTPSnoop and PipeSnoop by researchers from Cisco Talos have not been seen before but were created by attackers with good knowledge of Windows internals. They masquerade as components of Palo Alto Networks’ Cortex XDR, an endpoint security client.

Backdoor designed for internet-facing servers

The HTTPSnoop backdoor is usually deployed as a rogue DLL by using DLL hijacking techniques — tricking a legitimate application to load it by giving it a specific name and location Once executed, it uses low-level Windows APIs to access the HTTP device in the kernel and start listening for specially crafted HTTP requests.

The backdoor registers itself as the listener for specific URLs, which attackers can then send requests to with a specific keyword in the header. When receiving such requests, the HTTPSnoop will decode the request body and will extract shellcode, which it will then execute on the system.

The Talos researchers found multiple versions of this backdoor with the only difference being the URLs they listened to. One version registered as a listener for HTTP URLs that resembled those used by Microsoft’s Exchange Web Services (EWS) API, suggesting it was designed to be deployed on compromised Microsoft Exchange servers and the attackers wanted to hide the suspicious requests among legitimate traffic.

Another version listened to URLs that resembled those used by a workforce management application now called OfficeTrack and previously OfficeCore’s LBS System. This application is marketed to telecommunications firms, the Talos researchers said, which suggests the attackers customize their backdoor for each victim based on the software they know they’re running on their servers.

“The HTTP URLs also consist of patterns mimicking provisioning services from an Israeli telecommunications company,” the researchers said. “This telco may have used OfficeTrack in the past and/or currently uses this application, based on open-source findings. Some of the URLs in the HTTPSnoop implant are also related to those of systems from the telecommunications firm.”

HTTPSnoop and its sister backdoor PipeSnoop were found masquerading as an executable file called CyveraConsole.exe, which normally belongs to an application that contains the Palo Alto Networks Cortex XDR agent for Windows.

“The variants of both HTTPSnoop and PipeSnoop we discovered had their compile timestamps tampered with but masqueraded as XDR agent from version 7.8.0.64264,” the researchers said. “Cortex XDR v7.8 was released on August 7, 2022, and decommissioned on April 24, 2023. Therefore, it is likely that the threat actors operated this cluster of implants during the aforementioned timeframe.”

PipeSnoop backdoor targets internal systems, too

PipeSnoop does not listen to HTTP URLs but to a specific named pipe. IPC pipes are a mechanism through which local processes can communicate with each other on Windows systems. The choice of using this mechanism as command-and-control suggests that this backdoor might have been designed for internal systems that are not directly accessible from the internet, unlike HTTPSnoop.

PipeSnoop cannot operate alone on a system because it does not create a named pipe by itself but only listens to one. This means another implant must obtain rogue shellcode from the attackers in some way then create a specifically named local pipe and feed the shellcode to PipeSnoop to execute. The Talos researchers have not been able to identify this second component yet.

PipeSnoop “is likely designed to function further within a compromised enterprise –instead of public-facing servers like HTTPSnoop — and probably is intended for use against endpoints the malware operators deem more valuable or high-priority,” the Talos researchers said.