If lately, cybercriminal groups willingly claim their attacks, sometimes the objectives are less clear. In a blog post, the cybersecurity company Proofpoint warns of a campaign of malicious attacks having targeted French organizations in the construction sector and within the French administration.
Called “Snake”, the group first seeks to compromise machines at its targets by sending a booby-trapped e-mail that looks like a fake job application containing a CV as an attachment. The attachment contains a Word document that takes the pretext of GDPR (General Data Protection Regulation) to ask the user to enable macros. If these run, the document will then download a Powershell script hidden in an image, a technique known as “steganography”. This technique consists in concealing potentially malicious code in the code of an image and neutrally allows to deceive the vigilance of security tools.
snakes and foxes
This script downloads and installs Chocolatey software, a file management utility that allows you to create packages containing installers for various programs.
According to Proofpoint, the use of this utility could be a means of circumventing the detection and protection tools put in place by the victim, Chocolatey being a legitimate utility whose use does not automatically raise an alert. This is used to install Python, then to download a new Python script, again hidden in an image thanks to the steganographic technique, which contains the “Snake” backdoor. Among the images used to hide the malicious scripts, we find in particular an image of Swiper, the thief fox from the Dora the Explorer series.
This backdoor then takes care of regularly checking the command servers. Proofpoint says it has identified two domain names in onion.pet used by the backdoor to retrieve commands sent by attackers and to send the data retrieved by the backdoor to the infected machine.
Sophisticated threat
From Proofpoint’s perspective, this group of attackers falls into the category of sophisticated threats. “The use of steganography in payloads is unique; Proofpoint rarely observes the use of steganography in campaigns,” say the company’s researchers.
Other technical aspects of the campaign are also unique, while the attackers’ end goal is not apparent. “A successful compromise would allow a malicious actor to perform a variety of activities, including stealing information, gaining control of an infected host, or installing additional payloads,” Proofpoint researchers say. In the absence of further details, Proofpoint refuses to associate the detected campaigns with other known malicious groups.