Cyber Incident Victim: Paris, Île-de-France, France
Date:
Mar 2022
Location:
France
Summary
A targeted attack against French entities in construction, real estate, and government sectors employed macro-enabled Word documents disguised as GDPR compliance materials, delivering malware via steganographic images hosted on a compromised Jamaican credit union website. Attackers leveraged the Chocolatey package manager to install Python dependencies, ultimately deploying the Serpent backdoor, which established command-and-control through Tor proxy URLs to execute arbitrary commands and exfiltrate outputs via Termbin. The campaign utilized novel evasion techniques, including scheduled task manipulation to execute payloads under a legitimate Windows binary process, enabling potential remote administration, data theft, or additional payload delivery while bypassing detection mechanisms.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2022, Proofpoint identified a targeted cyberattack against French organizations in the construction, real estate, and government sectors. The campaign used French-language emails with resume-themed subjects, such as "Candidature - Jeanne Vrakele," sent from jeanne.vrakele@gmail[.]com. These emails contained macro-enabled Microsoft Word documents disguised as GDPR compliance information ("règlement général sur la protection des données"). When recipients enabled macros, the document executed VBA code that retrieved a steganographic image from a compromised Jamaican credit union website (fhccu[.]com). The first image, resembling a cartoon snake, concealed a base64-encoded PowerShell script that initiated the attack chain. This script downloaded and installed Chocolatey, an open-source package manager, marking the first observed use of Chocolatey in malicious campaigns. The PowerShell then used Chocolatey to install Python and pip, followed by PySocks for proxy communication. A second steganographic image from the same host delivered a base64-encoded Python backdoor script saved as MicrosoftSecurityUpdate.py, which Proofpoint named "Serpent." The attack concluded with a command redirecting to Microsoft’s official help website, potentially as a decoy.
The Serpent backdoor established persistent command-and-control via two Tor proxy URLs (onion[.]pet domains). It polled the first URL every 10 seconds for commands formatted as "<random integer>--<hostname>--<command>." If the hostname matched the infected device, the malware executed the command, captured output using Termbin via PySocks, and sent results to the second URL via HTTP headers containing the hostname and Termbin URL. Attackers could thus issue arbitrary Windows commands and retrieve outputs. A separate payload deployed via steganography demonstrated a novel detection evasion technique: it used schtasks.exe to create a scheduled task triggered by a dummy Event ID 777, executing calc.exe as a child of the legitimate taskhostsw.exe process before deleting the task. Proofpoint assessed the campaign as likely advanced due to its unique combination of steganography, abuse of legitimate tools (Chocolatey, Python), and novel execution methods. The attacker’s objectives remained unknown, though compromise risks included data theft, host control, and secondary payload delivery. Proofpoint blocked the campaign using signatures detecting Chocolatey-related traffic, malicious script retrieval via images, and other behavioral indicators, attributing its discovery to machine learning tools that clustered anomalous threat patterns.