Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems.
Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. It is not known what the ultimate goal of this campaign was.
“The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads,” Proofpoint researchers said in a report shared with The Hacker News.
The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union’s General Data Protection Regulation (GDPR).
Enabling the macros results in its execution, which retrieves a seemingly harmless image file hosted on a remote server but actually contains a Base64-encoded PowerShell script that’s obscured using steganography, a little-used method of concealing malicious code within an image or audio in order to circumvent detection.
The PowerShell script, in turn, is engineered to install the Chocolatey utility on the Windows machine, which is then utilized to install the Python package installer pip, the latter of which acts as conduit to install the PySocks proxy library.
Also retrieved by the same PowerShell script is another image file from the same remote server that includes the camouflaged Python backdoor dubbed Serpent, which comes with capabilities to execute commands transmitted from the C2 server.
In addition to steganography, the use of widely recognized tools such as Chocolatey as an initial payload for follow-on deployment of genuine Python packages is an attempt to stay under the radar and not be flagged as a threat, Proofpoint said.
Although no associations have been found with any previously identifiable actor/group, the attacks are believed to be the result of sophisticated hacking operations.
“This is a novel application of a variety of technologies that are often legitimately used within organizations,” Sherrod DeGrippo, vice president of threat research and detection at Proofpoint, said in a statement.
“This exploits the desire of many technical organizations to let their users be self-sufficient in terms of package management and self-tooling. Additionally, the use of steganography is unusual and something we don’t see regularly. “