Attackers are using the popular Chocolatey package manager for Windows in a new phishing campaign to infect French government organizations and large construction companies with the Serpent backdoor.
Chocolatey is an open source package manager for Windows PCs that allows users to install and manage more than 9 thousand applications and any dependencies using the command line.
In a new malicious campaign discovered by researchers of the information security company Proofpoint, attackers use a rather confusing chain of infection using malicious Microsoft Word documents with macros, the Chocolatey batch manager and steganographic images to bypass detection.
The multi-stage cyberattack begins with a phishing letter allegedly from the European regulator in the field of personal data protection General Data Protection Regulations agency with an attached Word document with malicious macro code.
When the victim opens the letter and activates macros, these macros extract the image of the cartoon character “Dasha the Traveler” the fox cub. The image itself seems quite harmless, but with the help of steganography, a PowerShell script is hidden in it, which the macro then executes.
The PowerShell script first downloads and installs the Chocolatey package manager, which then installs the Python programming language and the PIP package installer.
Chocolatey is also used to bypass the detection of security solutions, as it is often present in corporate environments for remote software management and is allowed by administrators. According to the researchers, they have never seen the use of Chocolatey in hacker campaigns.
At the final stage, a second steganographic image is loaded, which in turn loads the Serpent backdoor written in Python. After downloading, the malware connects to the C&C server to receive further commands. According to the researchers, the backdoor is capable of executing any command of attackers, including downloading additional malware, opening reverse shells and gaining full control over the infected device.
Proofpoint specialists failed to find anything that would allow them to determine who is behind the malicious campaign. Although their goals are not yet clear, the tactics used indicate espionage.