Proofpoint observed new, targeted activity impacting French entities in the construction and government sectors. The threat actor used macro-enabled Microsoft Word documents to distribute a modified Chocolatey installer package, an open-source package installer. The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, Command-and-Control (C2) connections, data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent and the ultimate objective of the threat actor is currently unknown. Later stages of the attack chain involve malicious Python scripts being smuggled onto target systems hidden using steganography in .jpg images that are hosted on a site that presents as being a Jamaican credit union website.
This Python-based malware is unique for leveraging the legitimate package manager Chocolatey as part of its attack chain to install dependencies before running malicious Python scripts. Leveraging Chocolatey as an initial payload may allow the threat actor to bypass threat detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious. The malware’s use of steganography for delivering additional payloads is a rarely used technique in malware campaigns. Activity like this may be more difficult for Anti-Virus (AV) and Endpoint Detection and Response (EDR) solutions to detect behaviorally, so it is important to have up-to-date threat intelligence information and blocking capabilities.