Cyber Incident Victim: City of Lille
Date:
Mar 2022
Location:
France
Summary
A targeted cyberattack impacted French entities in construction, real estate, and government sectors via malicious macro-enabled Word documents disguised as GDPR compliance information. The campaign employed steganography within hosted images to deliver hidden PowerShell and Python scripts, leveraging the open-source Chocolatey package manager to install Python dependencies and deploy the "Serpent" backdoor. This malware established Tor-based command-and-control channels, enabling remote command execution and data exfiltration through Termbin pastebin interactions. Attackers utilized a novel detection evasion technique involving scheduled tasks triggered by dummy system events to execute payloads under legitimate Windows processes. The compromise facilitated potential remote administration, data theft, and additional payload delivery, though specific objectives remained undetermined.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early March 2022, Proofpoint identified a targeted cyberattack campaign against French organizations in the construction, real estate, and government sectors. The attack began with phishing emails containing French-language subject lines such as "Candidature - Jeanne Vrakele" that purported to originate from a sender named Jeanne Vrakele using a Gmail address. These emails carried malicious Microsoft Word documents disguised as General Data Protection Regulation (GDPR) compliance information. When recipients enabled macros, the document executed Visual Basic for Applications (VBA) code that retrieved a steganographic image from a compromised Jamaican credit union website. This image, depicting a cartoon snake, contained a base64-encoded PowerShell script hidden after the file's end marker. The script subsequently downloaded and installed the Chocolatey package manager—a legitimate open-source software management tool not previously observed in malicious campaigns—along with Python and the PySocks library. A second steganographic image from the same domain delivered a base64-encoded Python backdoor script saved as "MicrosoftSecurityUpdate.py," completing the initial infection chain.
The final payload, dubbed Serpent by researchers, established persistent command-and-control (C2) communication through Tor proxy servers using .onion.pet domains. The backdoor employed a polling mechanism that checked an "order" URL every 10 seconds for commands formatted as "<random integer>--<hostname>--<command>." Upon receiving a command matching the infected host's hostname, the malware executed the specified Windows command, captured output via Termbin pastebin service, and transmitted results to an "answer" URL through HTTP headers containing host identifiers and Termbin URLs. Attackers demonstrated additional evasion techniques by creating scheduled tasks triggered by dummy Event ID 777 entries, executing binaries like calc.exe as child processes of the legitimate taskhostsw.exe Windows binary before deleting the tasks. Proofpoint detected all campaign-related documents through its security systems and published Emerging Threat signatures targeting Chocolatey-related network traffic and malicious script retrieval patterns. The campaign's use of steganography, abuse of legitimate tools (Chocolatey, Python, schtasks.exe), and Tor-based infrastructure indicated sophisticated tradecraft, though researchers could not attribute the activity to known threat groups or determine final objectives beyond establishing persistent remote access capabilities.