Serpent Trojan Targets French Users and Institutions
The Serpent Backdoor Trojan is a piece of malware, which was recently observed attacking companies and institutions based in France. The criminals were approaching their victims through phishing emails, which were crafted to look as if they were sent by someone who wants to apply for an open job position. Naturally, such messages contain some sort of document attached, like a CV. However, the spam messages did not deliver a safe document – instead, they deliver a macro-laced Microsoft Word file that can deploy the Serpent Backdoor Trojan.
The malicious macro executes an encoded PowerShell script, which fetches the Serpent Backdoor Trojan payload and runs it in the background. The primary goal of the Trojan is to grant its operators remote access to the infected system, as well as to spread laterally across the network. The best way to counter such attacks is to use reputable antivirus and firewall software, as well as to instruct employees to be extra careful when reviewing random, unexpected email attachments.
A separate spam campaign delivering the Serpent Backdoor Trojan relies on steganography. This means that the hackers had managed to modify images in order to inject malicious code into them, that could then be decoded and executed by a script accompanying the image file. It appears that the primary focus of the Trojan is to grant the criminals remote control over the infected system. Once they have control, they use the elevated permissions to hijack information, plant additional malware, or to spy on victims. We suspect that cyber espionage and data theft could be the primary goals of the gang behind the Serpent Backdoor Trojan