Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install the new “Serpent” backdoor malware on the systems of French government agencies and major construction companies.
Chocolatey is an open-source package manager for Windows that allows users to install and manage over 9,000 applications and all dependencies through the command line.
In a new phishing campaign discovered by Proofpoint, threat actors use a complex infection chain consisting of Microsoft Word documents containing macros, the Chocolatey package manager and steganographic images to infect devices while bypassing detection .
Steganography + Chocolatey to evade detection
Proofpoint researchers have discovered a new phishing campaign targeting French organizations in the construction, real estate and administration sectors.
The multi-stage attack begins with a phishing email impersonating the European Union’s General Data Protection Regulation (GDPR) agency. This email includes a Word document attachment containing malicious macro code.
If opened and the content enabled, the malicious macro retrieves an image of Swiper the Fox from the Dora the Explorer cartoon series.
However, this image isn’t entirely harmless, as it uses steganography to hide a PowerShell script that the macros will run. Steganography is used to hide data, in this case malicious code, to evade detection by users and anti-virus tools because it appears as a normal image.
The PowerShell script will first download and install the Chocolatey Windows package manager, which is then used to install the Python programming language and the PIP package installer, as shown below.
Chocolatey is also used to evade detection by security software, as it is commonly used in corporate environments to manage software remotely and could be on an authorized list in IT environments.
“Proofpoint has never observed a malicious actor using Chocolatey in campaigns,” Proofpoint researchers explain in their report.
Eventually, a second steganographic image is downloaded to load the Serpent backdoor, which is Python-based malware, hence the need for the packages previously installed in the previous steps.
Once loaded, the Serpent backdoor malware will communicate with the attacker’s command and control server to receive commands to execute on the infected device.
Proofpoint says the backdoor can execute any command sent by the attacks, allowing threat actors to download other malware, open reverse shells, and gain full access to the device.
Chocolatey told BleepingComputer that they were unaware that their software had been abused in this way and that they were looking into the matter.
Probably a new threat actor
In addition to the custom backdoor (Serpent) and Chocolatey abuse, which has never been seen in the cyber threat realm, Proofpoint also noticed a new signed binary proxy runtime application using schtrasks.exe , essentially a new detection bypass technique.
These elements indicate that the threat actor is a new group, characterized by high sophistication and capabilities, and not related to other known agents.
Proofpoint could not detect anything that could be used to attribute the activity to a particular threat actor, indicating the actor’s overall operational security.
Although the objective of the unknown adversary has not yet been determined, it seems that the tactic points to espionage, data access, host control and installation of additional payloads being the main pillars of the attacks.