Serpent Backdoor Slithers into Orgs Using Chocolatey Installer

An unusual attack using an open-source Python package installer called Chocolatey, steganography and Scheduled Tasks is stealthily delivering spyware to companies.

Researchers have discovered a cyberattack that uses unusual evasion tactics to backdoor French organizations with a novel malware dubbed Serpent, they said.

A team from Proofpoint observed what they call an “advanced, targeted threat” that uses email-based lures and malicious files typical of many malware campaigns to deliver its ultimate payload to targets in the French construction, real-estate and government industries.

However, between initial contact and payload, the attack uses methods to avoid detection that haven’t been seen before, researchers revealed in a blog post Monday.

These include the use of a legitimate software package installer called Chocolatey as an initial payload, equally legitimate Python tools that wouldn’t be flagged in network traffic, and a novel detection bypass technique using a Scheduled Task, they said.

“The ultimate objectives of the threat actor are presently unknown,” Proofpoint researchers Bryan Campbell, Zachary Abzug, Andrew Northern and Selena Larson acknowledged in the post. “Successful compromise would enable a threat actor to conduct a variety of activities, including stealing information, obtaining control of an infected host or installing additional

Read More: https://threatpost.com/serpent-backdoor-chocolatey-installer/179027/