Proofpoint researchers observed targeted attacks impacting French entities in the construction, real estate and government sectors.
- Attackers used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package.
- The attack targeted French entities in the construction, real estate and government industries.
Proofpoint researchers observed targeted attacks impacting French entities in the construction, real estate and government sectors.
The experts were unable to determine the ultimate objective of the campaign. The threat actors used the Serpent backdoor to remotely control the systems, steal sensitive data and deliver additional malicious payloads.
Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The phishing messages use a weaponised Microsoft Word document masquerading as information relating to the “reglement general use la protection des donnees (RGPD)” or the European Union’s General Data Protection Regulations (GDPR).
“The PowerShell script first downloads, installs and updates the Chocolatey installer package and repository script. Chocolatey is a software management automation tool for Windows that wraps installers, executables, zips, and scripts into compiled packages, similar to Homebrew for OSX.” reads the post published by Proofpoint.
“The software provides both open-source and paid versions with various levels of functionality. Proofpoint has not previously observed a threat actor use Chocolatey in campaigns.”
The attack targeted French entities in the construction, real estate, and government industries. The threat actors used steganography, including a cartoon image, to download and install the Serpent backdoor.
The attacker also illustrated a novel detection bypass method using a Scheduled Task. Based on the tactics and targeting detected it is likely an advanced, targeted threat.
The threat actor tried to install a backdoor on a potential victim’s device, which could allow remote administration, command and control (C2), data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?