News

French companies are under attack via Chocolatey package manager

Hackers are abusing the popular Chocolatey package manager for Windows as part of a phishing campaign aimed at planting the Serpent backdoor on the systems of French government agencies and major construction firms.

A new phishing campaign aimed primarily at French construction and real estate organizations, as well as government agencies, was discovered by Proofpoint experts. They write that the hackers use a complex infection chain consisting of Microsoft Word documents with macros, the Chocolatey package manager, and steganography.

The attack starts with a simple phishing email allegedly related to the GDPR. The email contains an attached Word document containing a malicious macro. When this document is opened, a malicious macro extracts an image of a fox from the animated series Dora the Traveler.

Chocolatey package manager

The image above is not as innocuous as it might first appear, as it uses shorthand to hide a PowerShell script. This script will download and install the Windows Chocolatey package manager, which will then be used to install Python and the PIP package installer.

Chocolatey is also used to avoid detection by security software, as it is often used in corporate environments and is often on the allowed list.

Previously, Proofpoint did not notice that attackers were using Chocolatey in their campaigns.the researchers write.

As a result, a second steganographic image is loaded into the victim’s system to download the Serpent backdoor, which is a malware written in Python (therefore, previously installed packages were required in the previous steps).

Chocolatey package manager
Attack scheme

Serpent, in turn, will contact the hackers’ control server to receive commands to be executed on the infected device. According to analysts, the backdoor is capable of executing any command of its operators, allowing it to download additional malware, open reverse shells, and gain full access to the device.

So far, Proofpoint experts have not found anything that would help to establish the attribution of this campaign and connect Serpent operators with a specific country. The ultimate goals of the attackers are also not yet clear, but the tactics they used point to espionage.

Let me remind you that we also talked about the fact that Hacked Oxford server was used for phishing attacks on Office 365, and also that APWG Notes Three-Year Phishing Record.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button