A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021.
The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said.
Polonium is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that's believed to be based in Lebanon and is known to exclusively strike Israeli targets.
Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
ESET's latest discovery of five more previously undocumented backdoors brings into focus an active espionage-oriented threat actor that's constantly refining and retooling its malware arsenal.
"The numerous versions and changes Polonium introduced into its custom tools show a continuous and long-term effort to spy on the group's targets," ESET researcher Matías Porolli said. "The group doesn't seem to engage in any sabotage or ransomware actions."
The list of bespoke hacking tools is as follows -
- CreepyDrive/CreepyBox - A PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox.
- CreepySnail - A PowerShell backdoor that receives commands from the attacker's own C2 server
- DeepCreep - A C# backdoor that reads commands from a text file stored in Dropbox accounts and exfiltrates data
- MegaCreep - A C# backdoor that reads commands from a text file stored in Mega cloud storage service
- FlipCreep - A C# backdoor that reads commands from a text file stored in an FTP server and exfiltrates data
- TechnoCreep - A C# backdoor that communicates with the C2 server via TCP sockets to execute commands and exfiltrate data
- PapaCreep - A C++ backdoor that can receive and execute commands from a remote server via TCP sockets
PapaCreep, spotted as recently as September 2022, is a modular malware that contains four different components that are designed to run commands, receive and send commands and their outputs, and upload and download files.
The Slovak cybersecurity firm said it also uncovered several other modules responsible for logging keystrokes, capturing screenshots, taking photos via webcam, and establishing a reverse shell on the compromised machine.
Despite the abundance of malware utilized in the attacks, the initial access vector used to breach the networks is currently unknown, although it's suspected that it may have involved the exploitation of VPN flaws.
"Most of the group's malicious modules are small, with limited functionality," Porolli said. "They like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain."