Freely subscribe to our NEWSLETTER

Proofpoint identified a targeted attack leveraging an open-source package installer Chocolatey to deliver a backdoor.
The attack targeted French entities in the construction, real estate, and government industries.
The attacker used a resume themed subject and lure purporting to be GDPR information.
The attacker used steganography, including a cartoon image, to download and install the Serpent backdoor.
The attacker also demonstrated a novel detection bypass technique using a Scheduled Task.
Objectives are currently unknown however based on the tactics and targeting observed it is likely an advanced, targeted threat.

The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent. The ultimate objective of the threat actor is currently unknown.

Sherrod DeGrippo, vice president of threat research and detection at Proofpoint said: “This is a novel application of a variety of technologies that are often legitimately used within organizations. It capitalizes on many organizations, specifically technical groups, desire to allow their users to be “self-sufficient” in regards to self-tooling and package managers. Additionally, the use of steganography is unusual and something we don’t see regularly. Using “Swiper,” the mischievous character in a children’s cartoon, adds something of a personality to the threat as well. Despite the unknown objective of the threat actor, it is highly targeted to a handful of organizations in France, and the malware could be used for data theft or to install later stage payloads.”