Security News > 2022 > March > Serpent Backdoor Slithers into Orgs Using Chocolatey Installer

Researchers have discovered a cyberattack that uses unusual evasion tactics to backdoor French organizations with a novel malware dubbed Serpent, they said.

These include the use of a legitimate software package installer called Chocolatey as an initial payload, equally legitimate Python tools that wouldn't be flagged in network traffic, and a novel detection bypass technique using a Scheduled Task, they said.

Various parts of the macro include ASCII art that depicts a snake, giving the backdoor its name, researchers said.

"Leveraging Chocolatey as an initial payload may allow the threat actor to bypass threat-detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious," researchers noted.

The script then uses Chocolatey to install Python, including the pip Python package installer.

In addition to using steganographic images and the Chocolatey package installer to hide its nefarious activities, the attack also uses what Proofpoint researchers said is a never-before-seen application of signed binary proxy execution using a Scheduled Tasks executable, as "An attempt to bypass detection by defensive measures."

News URL

https://threatpost.com/serpent-backdoor-chocolatey-installer/179027/