Serpent Backdoor Trojan

A highly targeted attack campaign against French companies operating in the real estate, construction, and government sectors has been uncovered by cybersecurity experts. The threatening operations ultimately deployed a previously unknown backdoor threat named the Serpent Backdoor Trojan. Details about the malware and the attack chain were released in a report by security researchers.

The goals of the threat actors remain unknown, but the Serpent Backdoor can perform various intrusive actions on the breached machines. The Trojan provides remote access to the device, contacts a Command-and-Control (C2, C&C) server, and can be instructed to perform data theft or deliver additional, corrupted payloads.

A Complex Attack Chain

According to the findings of the researchers, the Serpent Backdoor was delivered to the targeted systems as the final step in an attack chain that involved several new or rarely used techniques. First, the attackers disseminated lure emails posing as job resumes or documents related to the GDPR (EU's General Data Protection Regulations) to the unsuspecting victims. The emails contained a bait Microsoft Word document with compromised macros.

Opening the document triggers the macro, which proceeds to obtain a base64 encoded PowerShell script. The script is injected into an image via steganography. The PowerShell script fetches, installs, and updates a Chocolatey installer package. This is the first time that researchers have observed the use of the legitimate software management automation tool Chocolatey as part of an attack campaign.

Chocolatey is used to install Python on the device, including the pip package installer. In turn, its task is to install numerous dependencies, such as PySocks, which allows users to divert traffic through SOCKS and HTTP proxy servers. The next step, once again, involves the extraction of data hidden in an image via steganography. This time, a Python script is extracted and then saved on the victim's machine as MicrosoftSecurityUpdate.py. The attack chain is completed after a command pointing to a shortened URL leading to the Microsoft Office help website is executed.