Security News > 2022 > March > Serpent malware campaign abuses Chocolatey Windows package manager
Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new 'Serpent' backdoor malware on systems of French government agencies and large construction firms.
Chocolatey is an open-source package manager for Windows that allows users to install and manage over 9,000 applications and any dependencies through the command line.
In a new phishing campaign discovered by Proofpoint, threat actors use an intricate infection chain consisting of macro-laced Microsoft Word documents, the Chocolatey package manager, and steganographic images to infect devices while bypassing detection.
The PowerShell script will first download and install the Chocolatey Windows package manager, which is then used to install the Python programming language and the PIP package installer, as shown below.
"Proofpoint has not previously observed a threat actor use Chocolatey in campaigns," Proofpoint researchers explain in their report.
Once loaded, the Serpent backdoor malware will communicate with the attacker's command and control server to receive commands to execute on the infected device.
News URL
Related news
- Detecting Windows-based Malware Through Better Visibility (source)
- Microsoft fixes two Windows zero-days exploited in malware attacks (source)
- Russia's APT28 Exploited Windows Print Spooler Flaw to Deploy 'GooseEgg' Malware (source)
- Microsoft fixes Windows zero-day exploited in QakBot malware attacks (source)