Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems.
Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown.
“The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads,” Proofpoint researchers said in a report.
The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union’s General Data Protection Regulation (GDPR).
Enabling the macros results in its execution, which retrieves a seemingly harmless image file hosted on a remote server but actually contains a Base64-encoded PowerShell script that’s obscured using steganography, a little-used method of concealing malicious code within an image or audio in order to circumvent detection.
The PowerShell script, in turn, is engineered to install the Chocolatey utility on the Windows machine, which is then utilized to install the Python package installer pip, the latter of which acts as conduit to install the PySocks proxy library.
From The Shadows Emerges Knowledge