Background
Proofpoint recently published research on Serpent, a newly discovered backdoor malware. Proofpoint observed the malware targeting the construction, real estate, and government verticals in France.
What is Serpent?
Serpent is a backdoor malware delivered via a unique attack chain. The threat actors used phishing emails with macro-enabled Microsoft Word documents and a GDPR themed lure as the initial attack vector. When the macro in the Word document executes, it reaches out to an image containing a base64 encoded PowerShell script hidden using steganography. The PowerShell script is used to download, update, and distribute the Chocolatey installer package. Chocolatey then installs Python, pip, and PySocks. The script then fetches a second image that uses steganography to hide a base64 encoded Python script. It saves the script as MicrosoftSecurityUpdate.py, which then creates and executes a .bat file that executes a Python script, Serpent backdoor. The malware was dubbed Serpent due to the presence of snake ASCII art in the VBA macro.
Serpent periodically pings the C2 server and expects responses of the form <random integer>--<hostname>--<command>. If <hostname> matches the hostname of the victim computer, the infected host runs any Windows command sent by the attacker and records the output. Serpent then uses Termbin to paste the output to a bin, receives the bin’s unique URL, and sends the request to a second C2, allowing the attacker to monitor the bin outputs to see the infected host’s response.
In addition to the unique attack chain used, the threat actors also employed what Proofpoint calls a “novel application” of signed binary proxy execution using schtasks.exe in an attempt to evade detection. While Proofpoint did not determine the threat actor’s objectives, they stated that the attacks appear to be targeted and assessed that the threat actors have advanced capabilities.
IOCs
PolySwarm has multiple samples associated with Serpent.
F988e252551fe83b5fc3749e1d844c31fad60be0c25e546c80dbb9923e03eaf2
8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19
You can use the following CLI command to search for all Serpent samples in our portal:
$ polyswarm link list -f Serpent
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports