An unusual attack using an open-source Python package installer called Chocolatey, steganography & Scheduled Tasks is stealthily delivering spyware to companies
Researchers have discovered a cyber-attack that uses unusual evasion tactics to backdoor French organisations with a novel malware dubbed Serpent, they stated.
Targeted Threat
A team from Proofpoint observed what they call an “advanced, targeted threat” that uses email-based lures & malicious files typical of many malware campaigns to deliver its ultimate payload to targets in the French construction, real-estate & govt. industries.
However, between initial contact & payload, the attack uses methods to avoid detection that haven’t been seen before, researchers revealed in a blog post.
These include the use of a legitimate software package installer called ‘Chocolatey’ as an initial payload, equally legitimate Python tools that wouldn’t be flagged in network traffic, & a new detection bypass technique using a Scheduled Task, they stated.
Objectives
“The ultimate objectives of the threat actor are presently unknown,” Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern & Selena Larson acknowledged in the post.
“Successful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host or installing additional payloads.”
Slippery Attack Chain
The attack chain begins as many email-based attacks do—with an email that appears to be coming from a legitimate source that includes a Microsoft Word document containing malicious macros. Various parts of the macro include ASCII art that shows a snake, giving the backdoor its name, researchers outlined.
The macro-laden document purports to have important information related to the “règlement général sur la protection des données (RGPD),” aka the European Union’s General Data Protection Regulations (GDPR), a law which mandates how companies must report data leaks to the govt.
If macros are enabled, the document executes the document’s macro, which reaches out to an image URL–e.g., https://www.fhccu[.]com/images/ship3[.]jpg–that contains a base64 encoded PowerShell script hidden using steganography.
PowerShell
The PowerShell script 1st downloads, installs & updates the installer package & repository script for Chocolatey, a software management automation tool for Windows that wraps installers, executables, .ZIP files & scripts into compiled packages, researchers explained.
“Using Chocolatey as an initial payload may allow the threat actor to bypass threat-detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious,” researchers noted.
The script then uses Chocolatey to install Python, including the pip Python package installer. This component then installs various dependencies including PySocks, a Python-based reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers, researchers explained.
Python Script
Then, the PowerShell script fetches another image file–e.g. https://www.fhccu[.]com/images/7[.]jpg,–which contains a base64 encoded Python script that also is obscured using steganography, they outlined.
The PowerShell script saves the Python script as “MicrosoftSecurityUpdate.py” & then creates & executes a .bat file that in turn executes the Python script.
This attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website, researchers observed. The steganographic images used to hide the scripts are hosted on what seems to be a Jamaican credit-union website, they added.
Serpent Backdoor
Once successfully installed on a targeted system, the Serpent backdoor occasionally pings the “order” server, or the 1st onion[.]pet URL), & expects responses of the form <random integer>–<hostname>–<command>.
If <hostname> matches the hostname of the infected computer, the infected host runs the command provided by the order server (<command>), researchers explained. This could be any Windows command as designated by the attacker, the output of which is then recorded.
Pastebin
Next, Serpent uses PySocks to connect to the command-line Pastebin tool called Termbin, pastes the output to a bin, & receives the bin’s unique URL.
Finally, the backdoor sends a request to the “answer” server (a 2nd onion[.]pet URL), including the hostname & bin URL in the header. This allows the attacker to monitor the bin outputs via the “answer” URL & see what the infected host’s response was, researchers observed.
When this whole process is complete, Serpent cycles through it indefinitely, they added.
Evasion Tactics
In addition to using steganographic images & the Chocolatey package installer to hide its bad activities, the attack also uses what Proofpoint researchers commented is a never-before-seen application of signed binary proxy execution using a Scheduled Tasks executable, as “an attempt to bypass detection by defensive measures.”
A command that uses schtasks.exe to create a one-time task to call a portable executable is contained within a Swiper image called ship.jpg after the end of file marker, researchers revealed.
Trigger
“In this case the executable is called calc.exe,” researchers wrote. The trigger for this task is contingent on the creation of a Windows event with EventID of 777, after which the command then creates a dummy event to trigger the task & deletes the task from the task scheduler as if it never occurred, they further explained.
“This peculiar application of tasking logic results in the portable executable being executed as a child process of taskhostsw.exe, which is a signed Windows binary,” researchers suggested.
