Proofpoint reveals French entities targeted using open-source package installer Chocolatey
Proofpoint has identified a targeted attack leveraging an open-source package installer ‘Chocolatey’ to deliver a backdoor that exploited French entities in the construction, real estate, and government industries. The attacker used a resume themed subject and lure purporting to be General Data Protection Regulation (GDPR) information. The hackers also deployed steganography, including a cartoon image, that downloads and installs the Serpent backdoor.
The company also said that the attacker demonstrated a novel detection bypass technique using a Scheduled Task, and objectives are currently unknown. However, based on the tactics and targeting observed it is likely an advanced, targeted threat, Proofpoint added.
“The threat actor used macro-enabled Microsoft Word documents to distribute the Chocolatey installer package, an open-source package installer,” Proofpoint researchers wrote in a company blog post on Monday. “The threat actor attempted to install a backdoor on a potential victim’s device, which could enable remote administration, command and control (C2), data theft, or deliver other additional payloads. Proofpoint refers to this backdoor as Serpent. The ultimate objective of the threat actor is currently unknown,” they added.
Chocolatey is a software management automation tool for Windows that wraps installers, executables, zips, and scripts into compiled packages, similar to Homebrew for OSX. The software provides both open-source and paid versions with various levels of functionality. It allows users to install and manage over 9,000 applications and any dependencies through the command line.
In the observed campaign, Proofpoint said that the messages are in French and the messages contain a macro-enabled Microsoft Word document masquerading as information relating to the ‘règlement général sur la protection des données (RGPD)’ or the European Union’s GDPR requirements.
“When macros are enabled, the document executes that macro, which reaches out to an image URL, e.g., https://www.fhccu[.]com/images/ship3[.]jpg, containing a base64 encoded PowerShell script hidden in the image using steganography,” the Proofpoint researchers said. The PowerShell script first downloads, installs, and updates the Chocolatey installer package and repository script, they added.
Proofpoint has not previously observed a hacker using Chocolatey in campaigns, the post said. “The script then uses Chocolatey to install Python, including the pip Python package installer, which it then uses to install various dependencies including PySocks, a Python based reverse proxy client that enables users to send traffic through SOCKS and HTTP proxy servers,” the researchers added.
“Next, the script fetches another image file, e.g. https://www.fhccu[.]com/images/7[.]jpg, which contains a base64 encoded Python script also hidden using steganography, and saves the Python script as MicrosoftSecurityUpdate.py,” the researchers said. The script then creates and executes a .bat file that in turn executes the Python script. The attack chain ends with a command to a shortened URL which redirects to the Microsoft Office help website, they added.
Proofpoint assessed that the hacker leveraged multiple unique behaviors and targeting suggesting this is likely an advanced, targeted threat. “Leveraging Chocolatey as an initial payload may allow the threat actor to bypass threat detection mechanisms because it is a legitimate software package and would not immediately be identified as malicious. The follow-on use of legitimate Python tools observed in network traffic may also not be flagged or identified as malicious,” it added.
The use of steganography in the macro and follow-on payloads is unique, as Proofpoint rarely observes the use of steganography in campaigns, the researchers said. Additionally, the technique using ‘schtasks.exe’ to execute any desired portable executable file is also unique and previously unobserved by Proofpoint threat researchers.
Proofpoint does not associate this threat with a known hacker or group. “The ultimate objectives of the threat actor are presently unknown. Successful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host, or installing additional payloads,” the researchers added.
Earlier this month, a highly-sophisticated espionage tool named Daxin was used by China-linked hackers against select governments and other critical infrastructure targets, according to research released by the Symantec Threat Hunter team. Affected targets of Daxin deployments have included government organizations and entities in the telecommunications, transportation, and manufacturing sectors.
Researchers at Cisco Talos detected last week cyber attackers targeting Turkey and other Asian countries that they believe with high confidence are from groups operating under the MuddyWater umbrella of advanced persistent threat (APT) groups. The MuddyWater hackers are believed to be ‘a conglomerate of multiple teams operating independently rather than a single threat actor group,’ and conduct campaigns against various industries, including national and local governments and ministries, universities, and private entities.
Related
