Cyber Incident Victim: Conseil départemental des Hauts-de-Seine
Date:
Mar 2022
Location:
France
Summary
A targeted cyberattack against French entities in construction, real estate, and government sectors employed macro-enabled Word documents disguised as GDPR compliance materials to deliver the Serpent backdoor. Attackers used steganographic images hosted on a compromised credit union website to conceal PowerShell and Python scripts, leveraging the Chocolatey package manager to install Python dependencies including PySocks for proxy communications. The backdoor established command-and-control via Tor-enabled onion.pet domains, executing arbitrary commands and exfiltrating outputs through Termbin pastebin URLs. The campaign incorporated novel evasion techniques, such as abusing scheduled tasks to execute binaries under legitimate Windows processes, enabling potential remote access, data theft, or additional payload deployment.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2022, Proofpoint identified a targeted cyberattack campaign against French organizations in the construction, real estate, and government sectors, including entities in Hauts-de-Seine. The attack began with phishing emails containing French-language lures impersonating GDPR compliance information or job applications, such as a message from "Jeanne Vrakele" with the subject "Candidature - Jeanne Vrakele." These emails delivered macro-enabled Microsoft Word documents that, when opened with macros enabled, executed a multi-stage attack chain. The embedded macro retrieved a steganographic image file (e.g., ship3.jpg) from a compromised Jamaican credit union website (fhccu[.]com), which concealed a base64-encoded PowerShell script. This script downloaded and installed the Chocolatey package manager—a legitimate Windows software automation tool not previously observed in malicious campaigns—alongside Python and the PySocks proxy library.
The PowerShell script subsequently fetched a second steganographic image (e.g., 7.jpg) containing the Serpent backdoor, a Python-based malware saved as MicrosoftSecurityUpdate.py. Serpent established command-and-control communication via two Tor proxy URLs (onion[.]pet domains), periodically checking an "order" server for commands formatted as "<random integer>--<hostname>--<command>." When the hostname matched the infected device, the backdoor executed the specified Windows command, relayed output through Termbin (a command-line pastebin tool), and sent the results to an "answer" server via HTTP headers. Attackers additionally employed a novel evasion technique using schtasks.exe to trigger malicious executables as child processes of the legitimate taskhostsw.exe binary, demonstrated through a calc.exe test payload. Proofpoint detected and blocked all campaign-related documents, publishing Emerging Threat signatures to identify Chocolatey package management traffic, malicious script retrieval via images, and associated network indicators. The campaign's objectives remained undetermined, though compromise would enable data theft, host control, or additional payload deployment.