APT group POLONIUM targets Israel with Creepy backdoors, abuses popular cloud services
Focused only on Israeli targets, the Iran-affiliated group attacked more than a dozen organizations in various verticals
Cybertech
| 11/10/2022
Illustration: BIGSTOCK/Copyright: Thapana_Studio
ESET researchers recently analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group. ESET named the five previously undocumented backdoors with the suffix “-Creep.” According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022.
The verticals targeted by this group include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. POLONIUM is a cyberespionage group first documented by Microsoft in June 2022. According to Microsoft, the group is based in Lebanon and coordinates its activities with other actors affiliated with Iran’s Ministry of Intelligence and Security.
According to ESET Research, POLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega, and OneDrive for command and control (C&C) communications. Intelligence and public reports about POLONIUM are very scarce and limited, likely because the group’s attacks are highly targeted, and the initial compromise vector is not known.
“The numerous versions and changes POLONIUM introduced into its custom tools show a continuous and long-term effort to spy on the group’s targets. ESET can infer from their toolset that they are interested in collecting confidential data from their targets. The group doesn’t seem to engage in any sabotage or ransomware actions,” says ESET researcher Matías Porolli, who analyzed the malware.
POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services, respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attackers’ servers. The group has also developed several custom modules to spy on its targets by taking screenshots, logging keystrokes, spying via the webcam, opening reverse shells, exfiltrating files, and more.
“Most of the group’s malicious modules are small, with limited functionality. In one case the attackers used one module for taking screenshots and another for uploading them to the C&C server. On a similar note, they like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain,” explains Porolli.
Focused only on Israeli targets, the Iran-affiliated group attacked more than a dozen organizations in various verticals
Illustration: BIGSTOCK/Copyright: Thapana_Studio
ESET researchers recently analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group. ESET named the five previously undocumented backdoors with the suffix “-Creep.” According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022.
The verticals targeted by this group include engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. POLONIUM is a cyberespionage group first documented by Microsoft in June 2022. According to Microsoft, the group is based in Lebanon and coordinates its activities with other actors affiliated with Iran’s Ministry of Intelligence and Security.
According to ESET Research, POLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega, and OneDrive for command and control (C&C) communications. Intelligence and public reports about POLONIUM are very scarce and limited, likely because the group’s attacks are highly targeted, and the initial compromise vector is not known.
“The numerous versions and changes POLONIUM introduced into its custom tools show a continuous and long-term effort to spy on the group’s targets. ESET can infer from their toolset that they are interested in collecting confidential data from their targets. The group doesn’t seem to engage in any sabotage or ransomware actions,” says ESET researcher Matías Porolli, who analyzed the malware.
POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services, respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attackers’ servers. The group has also developed several custom modules to spy on its targets by taking screenshots, logging keystrokes, spying via the webcam, opening reverse shells, exfiltrating files, and more.
“Most of the group’s malicious modules are small, with limited functionality. In one case the attackers used one module for taking screenshots and another for uploading them to the C&C server. On a similar note, they like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain,” explains Porolli.
