A new backdoor dubbed Serpent has been found on internet, infecting French entities in the construction and government sectors. The backdoor is installed via innovative ways, which include steganography, Tor proxy and legitimate package installer software.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
The new backdoor has been found and exposed by Proofpoint in a publication released today.
How the Serpent backdoor makes its initial compromise
As often with targeted attacks, it all starts with an email. In this case as exposed by Proofpoint, it contains an infecting Microsoft Word document, written in French (Figure A).
The document lures the user into enabling macros to be able to read the document, which is a very common tactic for attackers to start an infection on a targeted computer.
The email’s subject, “Candidature” followed by a first and last name, is the usual French word used for “job application” and is another common lure used by attackers to entice a user to open a malicious document.
A long and unseen infection chain
Once the macro is enabled, it downloads an image located on a compromised website. That image contains an encoded PowerShell script, hidden using steganography (concealing a message within a message).
That PowerShell script downloads, installs and updates an installer package known as Chocolatey. Chocolatey is a software management automation tool for Windows systems. It wraps installers, exe files, archives and scripts, all into a compiled package. Proofpoint reports that to its knowledge this is the first time this tool has been abused by a threat actor in an attack campaign.
The next step consists of installing various dependencies including PySocks, a Python tool that enables users to send traffic through Socks and HTTP proxy servers.
Another image is downloaded from the same website as for the first image, which once again uses steganography, this time to store an encoded Python script saved on the computer as MicrosoftSecurityUpdate.py (Figure B).
The infection chain stops with a command to a URL shortener link which redirects the user to the legitimate Microsoft Office help website.
All these steps make the analysis of the attack much more complicated (Figure C).
The Serpent backdoor
The Serpent backdoor is a Python script that works as follows:
- It regularly pings a server that lies on the Tor network via the use of a .onion.pet URL and expects a specific answer: <random integer>–<hostname>–<command>.
- It checks if the hostname matches the infected computer, and if so, it runs commands provided by the server. Those commands might be just any Windows command as designed by the attacker.
- Command output is recorded.
- It uses PySocks to connect to the command line pastebin tool Termbin, pastes the output to a bin, and receives the bin’s unique URL back.
- Once done, the backdoor sends a request to a second server, also using the Tor network. The request includes the bin URL and the hostname. This allows the attacker to get the answers from the backdoor.
- The cycle goes on indefinitely.
More tools from the threat actor
In addition to the Serpent backdoor, Proofpoint discovered additional payloads being served from the same host. One of particular interest is utilizing what Proofpoint believes to be a “novel application of signed binary proxy execution using schtasks.exe,” in an attempt to bypass detections. The command is once again contained in an image using steganography. It leverages schtasks.exe to create a one-time task to call a portable executable. The trigger for this task is contingent on the creation of a Windows event with EventID of 777. The command then creates a dummy event to trigger the task and deletes the task from the task scheduler. This peculiar application of tasking logic results in the portable executable being executed as a child process of taskhostsw.exe, which is a signed Windows binary.
A unique threat actor
The installation of Chocolatey and Python tools is something that can greatly help the attack to stay under the radar, as the tools are legitimate and likely not to trigger any alert.
In addition, Proofpoint rarely observes steganography in campaigns. The last found tool using schtasks.exe is also unique and previously unobserved.
In addition, the way the Tor network is used is uncommon and makes it harder to stop the threat, since the final server’s location is unknown and cannot be simply shut down.
The ultimate goal of this threat actor is unknown. An infected computer might lead to data theft, additional payload installation and execution, or controlling the infected host.
How to protect from this threat
Proofpoint provides several indicators of compromise (IOCs) which should be used for improving detection and avoid falling for this threat.
In particular, the network connections related to this threat should be blocked.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.