Serpent Backdoor Detection: a New Sneaky Malware Hits French Entities

A new targeted malware has been observed attacking government and construction entities in France. Proofpoint conducted extensive research of the malware dubbed Serpent. 

Serpent Backdoor analysis showed that adversaries have been using quite a few unusual behaviors that have never been detected before. This calls for crafting new detection content that captures specifically those new defense evasion techniques. Dive into our new take on detecting the Serpent backdoor malware and stay ahead of the novel threat.

Detect Serpent Backdoor: How to Identify Suspicious Activity 

This rule created by our Threat Bounty developer Emir Erdogan detects suspicious behavior when a payload creates a one-time task to call PE, creates an event to trigger, and then deletes the task.

Upon login to your SOC Prime account (or creating a new one if you don’t have it yet), you can access the code in Sigma and vendor-specific formats, as well as the intelligence data that’s associated with the backdoor tracked as Serpent.

Suspicious Serpent Backdoor Defense Evasion by Using Bypass Method with Scheduled Task (via cmdline)

This rule is translated into the following SIEM, EDR & XDR formats: Microsoft Sentinel, Chronicle Security, Elastic Stack, Splunk, LimaCharlie, Sumo Logic, ArcSight, QRadar, Humio, SentinelOne, Microsoft Defender for Endpoint, CrowdStrike, Devo, FireEye, Carbon Black, LogPoint, Graylog, Regex Grep, Microsoft PowerShell, RSA NetWitness, Apache Kafka ksqlDB, Securonix, AWS OpenSearch.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Signed Binary Proxy Execution as a primary technique.

Access thousands of other valuable detection rules at our Detection as Code platform by hitting the button below. Also, if you are an experienced cyber researcher or detection engineer, you can share your valuable insights by submitting your content to our Threat Bounty Program and getting monetary encouragement for them.

View Detections Join Threat Bounty

Serpent Slippery Attack Chain

At the first stage of the attack, spear-phishing emails deliver macro-enabled Microsoft Word documents that contain a Chocolatey Windows package manager with malicious payloads hidden inside of it. In some places, VBA macros depicts a snake using ASCII coding, that’s why researchers refer to this backdoor as Serpent.

The faulty Microsoft Word file masquerads as a GDPR documentation, so consequently, victims rarely suspect anything unusual. Macro execution leads to an image URL which contains a base64 PowerShell script disguised with the help of steganography.

The Chocolatey package installer is something new that hasn’t been observed in attack chain executions before. It’s a legitimate automation tool for Windows that compiles packages out of separate ZIP archives, scripts, installers, and EXE files. Attackers use Chocolatey to download and install the Serpent backdoor on a user’s device. This malware would enable remote administration, C&C servers’ access, data theft, and the installation of other payloads as well. 

On the next stage, Chocolatey also installs a bunch of Python dependencies for the Serpent backdoor to remotely control the systems. For example, a pip Python package installer installs PySocks proxy client, receives another steganography-hidden script via an image URL, which upon execution creates a BAT file, which also executes a Python script.

Proofpoint researchers didn’t specify the objectives of this attack but they mentioned that available evidence of multiple unique behaviors points to an advanced targeted attack.

While cyber-attacks like this are becoming increasingly sophisticated, for individual organizations it becomes more difficult to stand this fight on their own. A viable solution is to leverage the benefits of a collaborative defense approach by joining SOC Prime’s Detection as Code platform.