• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Shodi Malware – Active IOCs
March 22, 2022
Rewterz Threat Alert – InvisiMole – Active IOCs – Russian-Ukrainian Cyber Warfare
March 22, 2022

Rewterz Threat Alert – Serpent Backdoor – Active IOCs

March 22, 2022

Severity

Medium

Analysis Summary

French entitites have become a target for a new backdoor called “Serpent.” The backdoor uses Chocolatey package installer to deliver the backdoor. The threat actors have constructed a GDPR (European Union’s General Data Protection Regulations) themed lure. Once the macros are enabled, they are executed, and reach out to an image URL. A hidden PowerShell script on the image URL then downloads, installs, and update the package installer. Chocolatey is then used to install python and python packages.

The “Swiper” image which is encoded with the PowerShell scripts used to download and install Chocolatey and Python and fetch another steganographic image.

Impact

  • Information Theft and Espionage
  • Exposure of Sensitive Data

Indicators of Compromise

Email

  • no-reply@dgfip-nanterre[.]com
  • jean[.]dupontel@protonmail[.]com

Email Subject

  • Candidature – Jeanne Vrakele

MD5

  • 321e04294c04db10d5dbf05051e540e2

SHA-256

  • 8912f7255b8f091e90083e584709cf0c69a9b55e09587f5927c9ac39447d6a19

SHA-1

  • 2d6f1ed1236727b36a92dd44cd987c36d6fb7e35

URL

  • http[:]//shorturl[.]at/qzES8
  • https[:]//www[.]fhccu[.]com/images/ship3[.]jpg

Remediation

  • Block the threat indicators at their respective controls.
  • Search for IOCs in your environment.
  • Do not open emails from unknown or suspicious sources.
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.