Since September 2021, Polonium has been linked to over a dozen highly targeted attacks targeting Israeli entities and employing seven different custom backdoors.
The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said.
An operational group named Polonium, based in Lebanon and known to only strike Israeli targets, is the chemical element-based moniker Microsoft gives to a sophisticated operation.
Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
This discovery brings to light the fact that ESET is continually refining and retooling its malware arsenal in order to combat espionage-oriented threats.
"The numerous versions and changes Polonium introduced into its custom tools show a continuous and long-term effort to spy on the group's targets," ESET researcher Matías Porolli said. "The group doesn't seem to engage in any sabotage or ransomware actions."
The list of bespoke hacking tools is as follows -
- CreepyDrive/CreepyBox - A PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.
- CreepySnail - A PowerShell backdoor that receives commands from the attacker's own C2 server
- DeepCreep - A C# backdoor that reads commands from a text file stored in Dropbox accounts and exfiltrates data
- MegaCreep - A C# backdoor that reads commands from a text file stored in Mega cloud storage service
- FlipCreep - A C# backdoor that reads commands from a text file stored in an FTP server and exfiltrates data
- TechnoCreep - A C# backdoor that communicates with the C2 server via TCP sockets to execute commands and exfiltrate data
- PapaCreep - A C++ backdoor that can receive and execute commands from a remote server via TCP sockets
PapaCreep, spotted as recently as September 2022, is a modular malware that contains four different components that are designed to run commands, receive and send commands and their outputs, and upload and download files.
The Slovak cybersecurity firm said it also uncovered several other modules responsible for logging keystrokes, capturing screenshots, taking photos via webcam, and establishing a reverse shell on the compromised machine.
Despite the abundance of malware utilized in the attacks, the initial access vector used to breach the networks is currently unknown, although it's suspected that it may have involved the exploitation of VPN flaws.
"Most of the group's malicious modules are small, with limited functionality," Porolli said. "They like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain.