Security News

New malware named HTTPSnoop and PipeSnoop are used in cyberattacks on telecommunication service providers in the Middle East, allowing threat actors to remotely execute commands on infected devices. The HTTPSnoop malware interfaces with Windows HTTP kernel drivers and devices to execute content on the infected endpoint based on specific HTTP(S) URLs, and the PipeSnoop accepts and executes arbitrary shellcode from a named pipe.

Telecommunication service providers in the Middle East are the target of a new intrusion set dubbed ShroudedSnooper that employs a stealthy backdoor called HTTPSnoop. "HTTPSnoop is a simple, yet effective, backdoor that consists of novel techniques to interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint," Cisco Talos said in a report shared with The Hacker News.

The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on spear-phishing and watering hole attacks to pull off its cyber espionage schemes.

A nation-state threat actor known as 'Charming Kitten' has been observed deploying a previously unknown backdoor malware named 'Sponsor' against 34 companies around the globe. One of the notable features of the Sponsor backdoor is that it hides its otherwise innocuous configuration files on the victim's disk so they can be discreetly deployed by malicious batch scripts, successfully evading detection.

The Iranian threat actor known as Charming Kiten has been linked to a new wave of attacks targeting different entities in Brazil, Israel, and the U.A.E. using a previously undocumented backdoor named Sponsor. "The Sponsor backdoor uses configuration files stored on disk," ESET researcher Adam Burgher said in a new report published today.

The Iranian threat actor tracked as APT34 has been linked to a new phishing attack that leads to the deployment of a variant of a backdoor called SideTwist. "APT34 has a high level of attack technology, can design different intrusion methods for different types of targets, and has supply chain attack capability," NSFOCUS Security Labs said in a report published last week.

"The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems," Kaspersky said in an analysis spotlighting APT31's previously undocumented tradecraft. Some variants of the second-stage backdoors also come with features designed to look up file names in the Microsoft Outlook folder, execute remote commands, and employ the third-step component to complete the data exfiltration step in the form of RAR archive files.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has discovered a new backdoor malware named 'Whirlpool' used in attacks on compromised Barracuda Email Security Gateway (ESG) devices. [...]

Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign. "Patchwork relied on a range of elaborate fictitious personas to socially engineer people into clicking on malicious links and downloading malicious apps," the social media giant said.

The Cybersecurity and Infrastructure Agency has published an analysis report on the backdoors dropped by attackers exploiting CVE-2023-2868, a remote command injection vulnerability in Barracuda Email Security Gateway appliances. In late May, Barracuda warned that attackers have been exploiting the vulnerability in Barracuda Networks' ESG physical appliances.