Security News > 2022 > March > New Backdoor Targets French Entities via Open-Source Package Installer

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems.

Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed.

"The threat actor attempted to install a backdoor on a potential victim's device, which could enable remote administration, command and control, data theft, or deliver other additional payloads," Proofpoint researchers said in a report shared with The Hacker News.

Enabling the macros results in its execution, which retrieves a seemingly harmless image file hosted on a remote server but actually contains a Base64-encoded PowerShell script that's obscured using steganography, a little-used method of concealing malicious code within an image or audio in order to circumvent detection.

The PowerShell script, in turn, is engineered to install the Chocolatey utility on the Windows machine, which is then utilized to install the Python package installer pip, the latter of which acts as conduit to install the PySocks proxy library.

In addition to steganography, the use of widely recognized tools such as Chocolatey as an initial payload for follow-on deployment of genuine Python packages is an attempt to stay under the radar and not be flagged as a threat, Proofpoint said.

News URL

https://thehackernews.com/2022/03/new-backdoor-targets-french-entities.html