The hacker group POLONIUM (APT) has attacked targets in Israel with previously unknown backdoors and cyber espionage tools. The group mostly uses cloud services for the attacks. The ESET researchers have dubbed the malware "Creepy". The group is said to be working with Iran.
According to the analysis by the researchers of the European IT security manufacturer, the hackers have attacked more than a dozen organizations since at least September 2021. The group's most recent action took place in September 2022. Target industries of this group include engineering, information technology, legal, communications, branding and marketing, media, insurance and social services.
Hacker group probably with Iran connections
According to various security experts, POLONIUM is an operational group based in Lebanon that coordinates its activities with other actors linked to the Iranian Ministry of Intelligence and Security.
“The numerous versions and changes POLONIUM has made to its custom tools show that the group is working continuously and long-term to spy on their targets. ESET concludes from their toolset that they are interested in collecting sensitive data. The group does not appear to be involved in any sabotage or ransomware actions,” says ESET researcher Matías Porolli, who analyzed the POLONIUM malware.
Misuse of Cloud Services
According to ESET researchers, the POLONIUM hacking group is very active and has a large arsenal of malware tools. These are constantly being modified and newly developed by the actors. A common trait of several of the group's tools is the abuse of cloud services such as Dropbox, Mega, and OneDrive for Command & Control (C&C) communications. Intelligence information and public reports about POLONIUM are very sparse and limited, likely because the group's attacks are highly targeted and the initial vector of compromise is unknown.
The cyber espionage tools of the hacking group POLONIUM consist of seven custom-made backdoors: CreepyDrive, which abuses the cloud services OneDrive and Dropbox for C&C; CreepySnail, which executes commands received from attackers' own infrastructure; DeepCreep and MegaCreep, which use Dropbox and Mega file storage services, respectively; as well as FlipCreep, TechnoCreep, and PapaCreep, which receive commands from the attackers' servers. The group has also used several custom modules to spy on their targets. These are able to take screenshots, log keystrokes, spy via webcam, open reverse shells, exfiltrate files and much more.
Many small tools for attack chain
“Most of the group's malicious modules are small and have limited functionality. In one case, the attackers used one module to take screenshots and another to upload them to the C&C server. Similarly, they like to split the code in their backdoors and distribute the malicious functions into various small DLLs, perhaps with the expectation that defenders or researchers won't observe the entire attack chain," explains Porolli.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.