Attackers employ novel methods to backdoor French organizations

2022-03-21 10:43

An advanced threat actor has been spotted using distinctive, novel methods to backdoor French entities in the construction, real estate, and government industries.

The attack starts with a well-known technique - emails containing a macro-enabled Microsoft Word document masquerading as information relating to the GDPR - and ends up with an attempt to install a backdoor on target systems.

What happens in between those steps is what makes these attacks interesting.

The installation of Python, the pip Python package installer, and PySocks.

Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson say that this is the first time they have observed a threat actor use Chocolatey in campaigns, and that steganography is, in general, rarely used by attackers.

"In addition to the images used in this attack chain, [we] have observed and identified additional payloads being served from the same host. One of particular interest is utilizing what Proofpoint believes to be a novel application of signed binary proxy execution using schtasks.exe," they added.

News URL

https://www.helpnetsecurity.com/2022/03/21/methods-backdoor/

#backdoor #french