An advanced threat actor has been spotted using distinctive, novel methods to backdoor French entities in the construction, real estate, and government industries.
How the attack unfolds
The attack starts with a well-known technique – emails containing a macro-enabled Microsoft Word document masquerading as information relating to the GDPR – and ends up with an attempt to install a backdoor on target systems. What happens in between those steps, though, is what makes these attacks interesting.
The targeted recipients that download the attached Word document and enable macros trigger a chain of actions involving:
- PowerShell and Python scripts steganographically hidden in images downloaded from a compromised Jamaican credit union website
- The downloading and use of Chocolatey, a software management automation tool for Windows that wraps installers, executables, zips, and scripts into compiled packages
- The installation of Python, the pip Python package installer, and PySocks (a reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers)
- The “Serpent” backdoor, which owns the name to the ASCII art in the VBA macro
Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson say that this is the first time they have observed a threat actor use Chocolatey in campaigns, and that steganography is, in general, rarely used by attackers.
“In addition to the images used in this attack chain, [we] have observed and identified additional payloads being served from the same host. One of particular interest is utilizing what Proofpoint believes to be a novel application of signed binary proxy execution using schtasks.exe,” they added. “Notably, this is an attempt to bypass detection by defensive measures.”
The researchers haven’t been able to associate these campaign with any known group, but the novel techniques and the specific targeting point to an advanced threat actor, whose ultimate objectives can’t be discerned at this time.