Researchers from European cybersecurity vendor ESET have found previously undocumented custom backdoors and tools used by a relatively new APT group called Polonium.
First discovered in June 2022 by the Microsoft Threat Intelligence Center (MSTIC), Polonium is a highly sophisticated, currently active hacking group, which appears to be exclusively targeting Israeli organizations for cyber-espionage purposes – they have not so far deployed sabotage tools such as ransomware or wipers.
Microsoft researchers have linked Polonium to Lebanon and assessed the group has ties with Iran's Ministry of Intelligence and Security (MOIS).
ESET’s findings, presented at the Virus Bulletin 2022 conference in late September and published on October 11, 2022, show that Polonium has targeted more than a dozen organizations since at least September 2021. Their victims include companies in engineering, information technology, law, communications, branding and marketing, media, insurance and social services. The group’s most recent actions were observed in September 2022.
Polonium has developed custom tools for taking screenshots, logging keystrokes, spying via webcam, opening reverse shells, exfiltrating files and more. Their toolset consists of various open-source tools, both custom and off-the-shelf, as well as seven custom backdoors:
- CreepyDrive, which abuses OneDrive and Dropbox cloud services for command & control (C&C)
- CreepySnail, which executes commands received from the attackers’ own infrastructure
- DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services respectively
- FlipCreep, TechnoCreep and PapaCreep, which receive commands from attackers’ servers
No tags.
