A threat actor identified as Polonium has been linked to over a dozen highly targeted attacks aimed at Israeli entities using seven different custom backdoors, since September 2021.
According to cybersecurity firm ESET, the intrusions targeted organisations in a variety of industries, including engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.
Microsoft has given the chemical element-themed moniker Polonium to a sophisticated operational group believed to be based in Lebanon and known to exclusively target Israeli targets.
The group's activities were first revealed in June when Microsoft announced the suspension of more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.
The use of implants dubbed CreepyDrive and CreepyBox for their potential to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts has been central to the attacks. CreepySnail, a PowerShell backdoor, has also been deployed. ESET's latest discovery of five previously unknown backdoors highlights an active espionage-oriented threat actor that is constantly refining and retooling its malware arsenal.
ESET researcher Matías Porolli said, "The numerous versions and changes Polonium introduced into its custom tools show a continuous and long-term effort to spy on the group's targets. The group doesn't seem to engage in any sabotage or ransomware actions."
The list of bespoke hacking tools is as follows -
- CreepyDrive/CreepyBox - A PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.
- CreepySnail - A PowerShell backdoor that receives commands from the attacker's own C2 server
- DeepCreep - A C# backdoor that reads commands from a text file stored in Dropbox accounts and exfiltrates data
- MegaCreep - A C# backdoor that reads commands from a text file stored in Mega cloud storage service
- FlipCreep - A C# backdoor that reads commands from a text file stored in an FTP server and exfiltrates data
- TechnoCreep - A C# backdoor that communicates with the C2 server via TCP sockets to execute commands and exfiltrate data
- PapaCreep - A C++ backdoor that can receive and execute commands from a remote server via TCP sockets
PapaCreep, discovered in September 2022, is a modular malware with four distinct components designed to run commands, receive and send commands and their outputs, and upload and download files.
The Slovak cybersecurity firm also discovered several other modules responsible for keystroke logging, screenshot capture, webcam photography, and establishing a reverse shell on the compromised machine. Despite the abundance of malware used in the attacks, the initial access vector used to breach the networks is unknown at this time, though it is suspected that it involved the exploitation of VPN flaws.
Porolli concluded, "Most of the group's malicious modules are small, with limited functionality. They like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain."