Researchers on Monday reported a targeted attack that leveraged the open-source package installer Chocolatey to deliver a backdoor that targeted organizations in the French construction, real estate, and government industries.
In a blog post, Proofpoint researchers said what it made it especially worth noting was that the attacker used a resume-themed subject and phishing lure purporting to pose as GDPR information. The attacker also used steganography, including a cartoon image, to download and install the Serpent backdoor and demonstrated a novel detection bypass technique using a Scheduled Task.
The Proofpoint researchers said while the objectives of the attackers are as yet unknown, based on the tactics and targeting observed they consider it an advanced, targeted threat.
The discovery of this unattributed malware shows that threat actor groups don't necessarily have to be formalized to succeed and there are plenty of attackers to go around with different objectives, said Saryu Nayyar, founder and CEO at Gurucul. Nayyar said it’s clear that phishing and social engineering attacks continue to plague organizations leading to the inevitable compromise because of the volume and subversive nature of these attacks to trick users. Nayyar also pointed out that this attack shows that existing XDR and SIEM solutions are insufficient at finding these types of attacks easily.
“The time it takes for these platforms to detect the unusual remote communications, payload installation and potential data theft would be too late once the threat actor gains control of the systems remotely through external C2 servers,” Nayyar said. “A refined set of behavioral baselining and machine learning models is necessary to identify and call out unusual communications and user activity that would otherwise be nothing more than a blip as a security event individually. Very few solutions can automatically correlate, analyze, and prioritize an emerging attack campaign like this out-of-the-box to prevent the attack from being successful."
Peter Stelzhammer, co-founder of AV-Comparatives, added that before using a third-party software there’s always the need to check if it has any vulnerabilities. He added that security teams need to watch the software used frequently – and they need security tools to find and fix security vulnerabilities in all kinds of software.
“The best way is to have an automated patch management strategy where you can find known vulnerabilities,” Stelzhammer said. “By implementing security standards and policies, developers and organizations can build apps using open-source libraries while remaining protected. Before using open-source components, organizations should require that developers check them for any known or unknown vulnerabilities.”