An unknown and likely advanced threat actor is using a novel combination of open source tools, steganography, and a detection bypass technique to attack government agencies, real estate companies, and construction firms in France.
Researchers from Proofpoint tracking the phishing campaign have so far not been able to identify either a motive for it or the threat actor behind the attacks. But in a blog Monday, the email security vendor described the combination of tactics and techniques in the campaign as adding up to a "unique attack chain."
Successful compromise would allow the threat actor to take a variety of actions including stealing data, installing additional malware, or taking complete control of infected systems, Proofpoint warned.
The phishing lure in the campaign is a macro-enabled Word document purporting to contain messaging related to the EU's General Data Protection Regulation (GDPR). When the macro is executed, it reaches out to an image URL and downloads a PowerShell script that is hidden using steganography in the image of Swiper, a character in a children's cartoon show. The PowerShell script in turn downloads and installs Chocolatey, a software installer for Windows environments that is available both as a free open source tool and as a paid, multifunctional product.
The PowerShell script uses Chocolatey to install Python and a Python package installer. That installer in turn is used to download various other components, including a Python-based reverse proxy client called PySocks for sending traffic through HTTP and SOCKS proxy servers. In the next step, the PowerShell script downloads a backdoor — which Proofpoint has dubbed "Serpent" — on the compromised system. The backdoor then periodically pings a remote Tor proxy server (onion.pet) waiting for specific commands and sends the output from any command to a second attacker-monitored Tor proxy server. The attack chain ends with a command that redirects the email recipient to a Microsoft Office help website.
Proofpoint said this is the first time it had observed a threat actor using Chocolatey in a phishing campaign. Similarly, the use of Python is also unique and not something that Proofpoint has typically observed among malware authors, the security vendor said.
All the malicious activity takes places in the background. The only thing the user sees in the end is a Microsoft pop-up that redirects them to a Microsoft help webpage, says Sherrod DeGrippo, vice president, threat research and detection at Proofpoint. "When macros are enabled, the malicious content is automatically loaded in the background so a recipient wouldn’t see the activity on their screen," DeGrippo says. "For example, with the Swiper image, PowerShell calls out to the jpg to get the obfuscated data and runs follow-on commands without alerting a user the activity is occurring, or showing the victim the jpg itself," she says.
Notable in this attack chain is that a lot of the tools used, such as Powershell, Chocolatey, and PySocks, are legitimate tools that could be found legitimately on a host, DeGrippo says.
One particularly significant aspect of the attack chain is how it uses the schtasks.exe job scheduler to try to bypass malware detection mechanisms. "The technique is novel in its application of schtask.exe," DeGrippo notes. "Historically schtask has been leveraged as a persistence mechanism — by means of adding a task — to ensure memory loaded payloads persist after a reboot."
Malware authors have also used it as a means of initial execution for a secondary payload or dropper, she says.
What is unique in this instance is schtask is not used for repeating a task. Rather, it is used to create a one-time task that essentially results in an executable file being executed as a Microsoft signed binary — or in a manner that heuristics-based endpoint detection and AV tools would likely trust, DeGrippo says. While many components of the attack path are unique, such as the use of encoded images, using two onion.pet servers, and the use of schtasks.exe to create a one-time task, the attack chain is not necessarily sophisticated, she adds.