Researchers have identified that the Lebanon-based hacking group POLONIUM used a wide range of self-developed malware during its attacks on Israeli organizations. The group is known for espionage attacks, with no interest in data encryption or deletion.

POLONIUM’s toolset

According to ESET researchers, the group has been using several custom-built backdoors against a wide range of Israeli organizations from communications, insurance, engineering, IT, law, branding and marketing, and social service sectors.
  • Since September 2021, it has used seven or more tools, including four new backdoor malware called MegaCreep, PapaCreep, TechnoCreep, FlipCreep.
  • In addition, the group uses several open-source tools, including off-the-shelf tools and custom-built software, for keylogging, taking screenshots, reverse proxy, and web recording.
  • The network infrastructure used by the attackers is either a private network secured behind virtual private servers (VPS) or genuine websites targeted by the group. This helps in keeping its tracks hidden.

Initial access

Researchers suspect that attackers obtained the initial access to the target networks by exploiting the VPN account credentials of Fortinet, which were compromised during a breach in September 2021.

The creepy backdoors

The backdoors used by the POLONIUM group have different capabilities, such as keylogging, taking screenshots, exfiltrating files, executing commands, and installing additional malware.
  • CreepyDrive is a PowerShell backdoor that uses public cloud services such as OneDrive and Dropbox for C&C.
  • CreepySnail is a PowerShell backdoor that executes arbitrary commands received from the attackers on the infected device.
  • DeepCreep is a C# backdoor that accepts commands written in a text file stored in Dropbox accounts, and based on instructions, it uploads or downloads files to and from those accounts.
  • MegaCreep accepts commands written in a text file stored in the Mega file storage services, and based on instructions, it uploads or downloads files to and from those accounts.
  • In addition, FlipCreep, TechnoCreep, and PapaCreep receive commands from servers under the attacker’s control. In addition, the group has further used a few custom tools to spy on its targets.

Concluding notes

POLONIUM has effectively enhanced its malware over time. With the abuse of public cloud services, such as OneDrive, Mega, and Dropbox, hackers are signaling major reforms in its attack infrastructure. Moreover, right now this is focused on Israeli targets, however, experts suspect that this may change in near future. Therefore this group should be tracked continuously by security communities.
Cyware Publisher