"New Serpent Backdoor Malware Targets French Entities With Unforeseen Method"

Researchers at Proofpoint have discovered a new backdoor malware dubbed Serpent, which has been found being used to infect French entities in construction and government sectors. According to the researchers, Serpent is installed in innovative ways, including steganography, Tor proxy, and legitimate package installer software. The Serpent backdoor makes its initial compromise with an email containing a malicious Microsoft Word document written in French. The attached document lures the user to enable macros to read it, which is a common tactic for attackers to start an infection on a targeted computer. In addition, the email's subject includes "Candidature," the usual French word used for "job application," to further entice a user to open the malicious document. When the macro is enabled, it downloads an image containing an encoded PowerShell script on a compromised website. That PowerShell script then downloads, installs, and updates an installer package called Chocolatey, a software management automation tool for Windows systems that wraps installers, EXE files, archives, and scripts into a compiled package. Chocolatey installs the Python programming language, including pip, the Python package installer. Next, various dependencies are installed, including a Python tool called PySocks that enables users to send traffic via Socks and HTTP proxy servers. Another image is downloaded from the same website as the first image, again using steganography, this time to store an encoded Python script saved on the computer as MicrosoftSecurityUpdate.py. The infection chain concludes with a command to a URL shortener link that redirects the user to the legitimate Microsoft Office help website. This article continues to discuss the Serpent backdoor malware's initial compromise and infection chain, as well as the uniqueness of the threat actor behind the backdoor.

TechRepublic reports "New Serpent Backdoor Malware Targets French Entities With Unforeseen Method"

Submitted by Anonymous on