Cyber Incident Victim: France
Date:
Mar 2022
Location:
France
Summary
A targeted campaign against French entities in government, construction, and real estate sectors employed malicious macro-enabled Word documents disguised as GDPR compliance materials, delivering a backdoor via steganographic images hosted on a compromised credit union site. Attackers leveraged the Chocolatey package manager to install Python dependencies and the "Serpent" backdoor, which established Tor-based command-and-control channels for remote command execution, data exfiltration via Termbin, and potential additional payload deployment. The operation featured novel evasion techniques, including scheduled task manipulation to execute malicious code under legitimate Windows processes, indicating sophisticated tradecraft aimed at persistence and detection bypass.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2022, Proofpoint identified a targeted cyber campaign against French organizations in the construction, real estate, and government sectors. The attack began with phishing emails containing French-language resume-themed subjects, such as "Candidature - Jeanne Vrakele," and purported GDPR compliance information. These emails delivered macro-enabled Microsoft Word documents that executed Visual Basic for Applications (VBA) code when macros were enabled. The macro retrieved a steganographic image file from a compromised Jamaican credit union website (fhccu[.]com), which concealed a base64-encoded PowerShell script within what appeared to be a cartoon image. This script downloaded and installed the Chocolatey package manager—a legitimate open-source tool for Windows software management—marking the first observed use of Chocolatey in malicious campaigns. The PowerShell script then used Chocolatey to install Python and the pip package manager, followed by dependencies including PySocks for SOCKS proxy communication. A second steganographic image from the same domain contained a base64-encoded Python backdoor script saved as "MicrosoftSecurityUpdate.py," which executed via a batch file. The final stage involved contacting a shortened URL redirecting to Microsoft’s official help site, potentially as a decoy.
The Python-based Serpent backdoor established persistence by periodically querying a Tor-based command-and-control (C2) server via an onion[.]pet domain. It parsed commands formatted as "<random integer>--<hostname>--<command>" and executed them if the hostname matched the infected system. Output was exfiltrated through Termbin.com, with results relayed to a secondary C2 server via HTTP headers. Attackers deployed a novel execution technique using schtasks.exe to create a scheduled task triggered by a dummy Windows Event ID 777, executing payloads as child processes of the legitimate taskhostsw.exe binary to evade detection. Proofpoint’s analysis revealed additional payloads hosted on the same infrastructure but did not attribute the campaign to any known threat actor. The company detected and blocked associated malicious documents using its machine learning-powered Campaign Discovery tool, publishing Emerging Threat signatures to identify Chocolatey-related network activity, malicious script retrieval via image requests, and payload execution patterns. Successful compromises could have enabled remote system control, data theft, or secondary payload deployment, though no specific impact details were confirmed for the targeted entities.