2022-03-29

Serpent Backdoor Malware

Level: 
Tactical
  |  Source: 
ProofPoint
Share:

Serpent Backdoor Malware

Industry: N/A | Level: Tactical | Source: ProofPoint

Research from ProofPoint, identifies a phishing campaign aimed at French entities in industries for construction, government and real estate. The campaign utilizes a Microsoft Word document with an embedded macro, the serpent identifier is derived from the VBA macro as it contains ASCII art illustrating snakes in various sections. Following user execution, a connection is made to a URL containing a PowerShell script that is base64 encoded. Chocolatey, an open-source package installer, is downloaded and installed by the PowerShell script to install Python. The script completes with a python script executed from a .bat file.

  • Anvilogic Scenario: Serpent Backdoor Malware - Attack Chain
  • Anvilogic Use Cases:
  • Office Binary Download Remote File
  • Encoded PowerShell Command
  • Invoke-WebRequest Command
  • Python Execution
  • Package installation

Get trending threats published weekly by the Anvilogic team.

Sign Up Now