Pierluigi Paganini March 22, 2022

A new email campaign aimed at French entities leverages the Chocolatey Windows package manager to deliver the Serpent backdoor.

Proofpoint researchers uncovered a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor tracked as Serpent. The campaign targeted French entities in the construction, real estate, and government industries. Experts believe the attacks were conducted by a sophisticated threat actor.

At this time, experts were not able to determine the ultimate objective of the campaign. The threat actor used the Serpent backdoor to remotely control the systems, steal sensitive data and deliver additional malicious payloads.

The phishing messages uses a weaponized Microsoft Word document masquerading as information relating to the “règlement général sur la protection des données (RGPD)” or the European Union’s General Data Protection Regulations (GDPR).

Upon enabling the macro in the bait document, it fetches an image from a remote URL (e.g. https://www.fhccu[.]com/images/ship3[.]jpg) containing a base64 encoded PowerShell script hidden in the image using steganography.

“The PowerShell script first downloads, installs, and updates the Chocolatey installer package and repository script. Chocolatey is a software management automation tool for Windows that wraps installers, executables, zips, and scripts into compiled packages, similar to Homebrew for OSX.” reads the post published by Proofpoint. “The software provides both open-source and paid versions with various levels of functionality. Proofpoint has not previously observed a threat actor use Chocolatey in campaigns.”

The Chocolatey utility is used to install the Python package installer pip that in turn installs the PySocks proxy library.

Next, the script fetches another image file (e.g. https://www.fhccu[.]com/images/7[.]jpg) which contains a base64 encoded Python script also hidden using steganography, and saves the Python script as MicrosoftSecurityUpdate.py. The script then creates and executes a .bat file that in turn executes the Python script, which is the Serpent backdoor.

“The malware then uses PySocks to connect to the command line pastebin tool Termbin, pastes the output to a bin, and receives the bin’s unique URL. Finally, the malware sends a request to the “answer” server (the second onion[.]pet URL), including the hostname and bin URL in the header.” continues the report. “This allows the attacker to monitor the bin outputs via the “answer” URL and see what the infected host’s response was. The malware cycles through this process indefinitely.”

The steganographic images used in the attack are both hosted on a Jamaican credit union website.

“The use of steganography in the macro and follow-on payloads is unique; Proofpoint rarely observes the use of steganography in campaigns. Additionally, the technique using schtasks.exe to execute any desired portable executable file is also unique and previously unobserved by Proofpoint threat researchers. Proofpoint does not associate this threat with a known actor or group. concludes the report. “The ultimate objectives of the threat actor are presently unknown. Successful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host, or installing additional payloads.”

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Serpent backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]