www.welivesecurity.com Open in urlscan Pro
2a02:26f0:4700::210:24a Public Scan

Back to summary

URL:
https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/
Submission: On October 12 via api (October 12th 2022, 1:06:26 pm UTC) from DE — Scanned from DE

Form analysis
5 forms found in the DOM

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc dark col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

GET https://www.welivesecurity.com/

<form action="https://www.welivesecurity.com/" class="basic-searchform imc  col-md-12 col-sm-10 col-xs-12" method="get" role="search">
  <div class="search-input clearfix">
    <input type="text" name="s" value="" placeholder="Search..." class="imc">
    <button class="imc">
      <span class="icomoon icon-icon_search imc"></span>
    </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="TOPIC" value="We Live Security Ukraine Newsletter">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class="button-flag"> Submit </button>
  </div>
</form>

POST https://enjoy.eset.com/pub/rf

<form action="https://enjoy.eset.com/pub/rf" class="basic-searchform col-md-12 col-sm-12 col-xs-12 no-padding newsletter" method="post" role="search">
  <div class="search-input clearfix">
    <input type="text" name="EMAIL_ADDRESS_" value="" placeholder="Email...">
    <input type="hidden" name="NEWSLETTER" value="We Live Security">
    <input type="hidden" name="_ri_" value="X0Gzc2X%3DAQpglLjHJlTQGgXv4jDGEK4KW2uhw0qgUzfwuivmOJOPCgzgo9vsI3VwjpnpgHlpgneHmgJoXX0Gzc2X%3DAQpglLjHJlTQGzbD6yU2pAgzaJM16bkTA7tOwuivmOJOPCgzgo9vsI3">
    <input type="hidden" name="_ei_" value="Ep2VKa8UKNIAPP_2GAEW0bY">
    <input type="hidden" name="_di_" value="m0a5n0j02duo9clmm4btuu5av8rdtvqfqd03v1hallrvcob47ad0">
    <input type="hidden" name="EMAIL_PERMISSION_STATUS_" value="O">
    <input type="hidden" name="CONTACT_SOURCE_MOST_RECENT" value="WLS_Subscribe_Form">
    <button class=""> Submit </button>
  </div>
</form>

Text Content

In English
* Em Português
* En français
* En Español
* In Deutsch

Menu toggle menu

* All Posts
* Ukraine Crisis – Digital Security Resource Center
* We Live Progress
* Research
* How To
* Videos
* Conference Materials
* White Papers
* Threat Reports
* Our Experts

* Em Português
* En français
* En Español
* In Deutsch

Award-winning news, views, and insight from the ESET security community

POLONIUM TARGETS ISRAEL WITH CREEPY MALWARE

ESET researchers analyzed previously undocumented custom backdoors and
cyberespionage tools deployed in Israel by the POLONIUM APT group
Matías Porolli
11 Oct 2022 - 11:30AM
Share

ESET researchers analyzed previously undocumented custom backdoors and
cyberespionage tools deployed in Israel by the POLONIUM APT group

ESET researchers reveal their findings about POLONIUM, an advanced persistent
threat (APT) group about which little information is publicly available and its
initial compromise vector is unknown. POLONIUM is a cyberespionage group first
documented by Microsoft Threat Intelligence Center (MSTIC) in June 2022. MSTIC’s
assessment is that POLONIUM is an operational group based in Lebanon,
coordinating its activities with other actors affiliated with Iran’s Ministry of
Intelligence and Security (MOIS).

According to ESET telemetry, POLONIUM has targeted more than a dozen
organizations in Israel since at least September 2021, with the group’s most
recent actions being observed in September 2022. Verticals targeted by this
group include engineering, information technology, law, communications, branding
and marketing, media, insurance, and social services. Our findings describing
the tactics of this group, including details about a number of previously
undocumented backdoors, were presented in late September at the Virus Bulletin
2022 conference.

Key points of this blogpost:

* Focused only on Israeli targets, POLONIUM attacked more than a dozen
organizations in various verticals such as engineering, information
technology, law, communications, branding and marketing, media, insurance,
and social services.
* ESET Research’s POLONIUM findings were revealed at the Virus Bulletin 2022
conference in late September.
* According to ESET telemetry, the group has used at least seven different
custom backdoors since September 2021, and it is currently active at the time
of writing.
* The group has developed custom tools for taking screenshots, logging
keystrokes, spying via the webcam, opening reverse shells, exfiltrating
files, and more.
* For C&C communication, POLONIUM abuses common cloud services such as Dropbox,
OneDrive, and Mega.

The numerous versions and changes POLONIUM introduced into its custom tools show
a continuous and long-term effort to spy on the group’s targets. While we
haven’t observed what commands were executed by operators on compromised
machines, we can infer from their toolset that they are interested in collecting
confidential data from their targets. The group doesn’t seem to engage in any
sabotage or ransomware actions.

As shown in Figure 1, POLONIUM’s toolset consists of seven custom backdoors:
CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C;
CreepySnail, which executes commands received from the attackers’ own
infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file
storage services respectively; and FlipCreep, TechnoCreep, and PapaCreep, which
receive commands from attacker’s servers. The group has also used several custom
modules to spy on its targets.

Figure 1. Timeline of observed backdoors deployed by POLONIUM

INITIAL ACCESS

While we don’t know how the group gained initial access to the targeted systems,
some of the victims’ Fortinet VPN account credentials were leaked in September
2021 and were made available online. As such, it is possible that the attackers
gained access to the victims’ internal networks by abusing those leaked VPN
credentials.

TOOLSET

POLONIUM is an active group that constantly introduces modifications to its
custom tools. We have seen more than 10 different malicious modules since we
started tracking the group, most of them with various versions or with minor
changes for a given version. Some of the most interesting characteristics of the
group’s toolset are:

* Abundance of tools: We have seen seven different custom backdoors used by the
group since September 2021, and also saw many other malicious modules for
logging keystrokes, taking screenshots, executing commands, taking photos
with the webcam, or exfiltrating files.
* Custom tools: In various attacks carried out by this group over a short
period of time, we detected the same component containing minor changes. In
some other cases, we have seen a module, coded from scratch, that followed
the same logic as some previous components. Only in a few cases have we seen
the group use publicly available tools or code. All of this indicates to us
that POLONIUM builds and maintains its own tools.
* Cloud services: The group abuses common cloud services such as Dropbox,
OneDrive, and Mega for C&C communications (receive commands and exfiltrate
data).
* Small components: Most of the group’s malicious modules are small, with
limited functionality. In one case the attackers used one module for taking
screenshots and another for uploading them to the C&C server. On a similar
note, they like to divide the code in their backdoors, distributing malicious
functionality into various small DLLs, perhaps expecting that defenders or
researchers will not observe the complete attack chain.

CREEPYDRIVE

CreepyDrive is a PowerShell backdoor that reads and executes commands from a
text file stored on OneDrive or Dropbox. It can upload or download files from
attacker-controlled accounts in these cloud services, and execute supplied
PowerShell code. Figure 2 shows part of the code that downloads files and
executes commands. Note that this backdoor was documented in Microsoft’s report
in June 2022.

Figure 2. Code used by CreepyDrive to download files or execute commands

CreepyDrive uses the OneDrive HTTP API (and the Dropbox HTTP API) to access the
cloud storage. In both cases it uses a refresh token, client ID, and client
secret (all hardcoded) to generate an access token that authenticates the user
and grants access to the accounts.

While we didn’t observe commands being executed by the attackers on compromised
systems, we spotted a log file documenting the execution of a command on a
victimized computer. The contents of the log file (decoded) are shown in Figure
3.

Figure 3. Execution log of a command and its output

CREEPYSNAIL

CreepySnail is another PowerShell backdoor that sends HTTP requests to a C&C
server and receives and executes PowerShell commands. We saw various versions of
this backdoor in the wild, though the differences between them were minimal.
Figure 4 shows one version that can run any executable specified by the C&C
server (as long as it’s in the malware folder). We won’t go into more details
about this backdoor as it has already been described by Microsoft in their
report.

Figure 4. Code used by CreepySnail to execute commands

DEEPCREEP

DeepCreep is a previously undocumented backdoor written in C# that reads
commands from a text file stored in Dropbox accounts and can upload or download
files to and from those accounts. Some versions of DeepCreep have obfuscated
strings, some separate the code into DLLs, and some have more or less commands.
We will focus on the most prevalent version for this analysis, although
interesting features of other versions will be mentioned.

A command to be executed by the backdoor is read from the file cd.txt on the
server-side root folder of the victim; once read, the file is deleted from the
cloud. DeepCreep runs this process in an infinite loop, which means that a new
cd.txt file has to be placed in the cloud storage for every command to execute.
If the file is not found, the backdoor sleeps then tries again. A list of the
commands that DeepCreep can process is shown in Table 1.

Table 1. List of commands supported by DeepCreep

CommandDescription GetNoThingDeletes cd.txt. upload "<local_file_path>"
"<file_name_on_dropbox>"Uploads a file on the victim’s computer to a subfolder 2
in Dropbox. Multiple upload lines can be included in cd.txt to execute more than
one upload at once. download
"<file_name_on_dropbox>"
"<local_file_path>"
<bool_abs_p>Downloads a file from the root folder in Dropbox to the victim’s
computer. If <bool_abs_p> is 0, the file is downloaded into
%TEMP%\<local_file_path> (relative path). If it’s 1, the file is downloaded into
<local_file_path> (absolute path). delay <value>Sets the delay for all sleep
operations, where 1000 is 1 minute. zip
"<local_file_folder_path>" "⁠<output_path>" "<size_mb>"Creates a ZIP file with
the specified file or folder and saves it in the specified path on the victim’s
computer. The archive is split in chunks of the specified size, in megabytes.
Execute with cmd.exeWhen none of the previous commands are found in the first
line of cd.txt, then all of the lines are taken as commands to be executed with
cmd.exe. The output produced by the commands is uploaded to a text file in
Dropbox. The output encoding for the console is set to Windows-1255, which
handles Hebrew characters.

DeepCreep persists by creating a LNK file in %APPDATA%\Microsoft\Windows\Start
Menu\Programs\Startup and by creating a scheduled task. A PowerShell command is
used to create the LNK file, as shown in Figure 5.

Figure 5. Part of the code that DeepCreep uses to establish persistence

Authentication with the cloud is done by using OAuth 2.0 tokens, which are
hardcoded in the binaries. DeepCreep needs a legitimate DLL with Dropbox SDK to
be able to communicate with the cloud.

We saw some cases where a separate loader – WindowsTool.exe – was used to
implement persistence and execute DeepCreep with InstallUtil, a legitimate tool
from the .NET Framework. This version of the backdoor has its malicious code
provided in an uninstallation routine and is executed with the /u (uninstall)
option of InstallUtil.exe, perhaps to mislead defenders. Figure 6 shows part of
the code of the loader.

Figure 6. Part of the code of the loader that executes DeepCreep

In terms of string obfuscation, we have seen two variations: ROT13 and
AsStrongAsFuck obfuscator. The latest version of DeepCreep that we have seen
uses AES encryption and has the same key commands as the MegaCreep backdoor,
which we will describe in the next section.

MEGACREEP

MegaCreep is a previously undocumented backdoor based on DeepCreep, with added
functionalities. It reads and executes commands from a text file stored in Mega
cloud storage. While MegaCreep is arguably just a newer version of DeepCreep,
and in fact reuses code from DeepCreep, it seems the attackers consider both
backdoors as separate projects.

MegaCreep processes the same commands that we described for DeepCreep, but they
are stored in AES-encrypted form in the file cd.txt. It has additional commands,
both related to the key used for decryption, which are described in Table 2.

Table 2. List of new commands added to MegaCreep

CommandDescription NewASKey <key>Receives the decryption key <key> that is
stored locally in Cert.dll (only if the file doesn’t already exist). UPKY
<old_key> <new_key>Updates the decryption key from <old_key> to <new_key>. The
process is successful only if <old_key> is the same as the key that the backdoor
is currently using. In this case, <new_key> is stored locally in Cert.dll.

MegaCreep checks for these commands first, which are stored unencrypted in
cd.txt. If none of these commands are found, then the contents of cd.txt are
decrypted using the key that is in Cert.dll. After decryption, all the same
commands that we described for DeepCreep can be executed by MegaCreep.

MegaCreep uses the MegaApiClient C# library to communicate with Mega cloud
storage. Authentication is done with a username and password, which are stored
encrypted in a local file, Sess.dll. Figure 7 shows the code that loads the
username and password from Sess.dll.

Figure 7. Code used in MegaCreep to load username and password

This backdoor is a good example of the preference that POLONIUM has for using
separate DLLs with specific functionality, as shown in Figure 8. In the example,
two methods from PRLib.dll are called: CHP, which kills running processes with
the same name as the backdoor’s executable (i.e., previous executions of the
backdoor that are still running), and XVDFv, which implements persistence (in
the same way we described for DeepCreep).

Figure 8. Example of MegaCreep calling methods from separate DLLs

Another feature that was added to MegaCreep is that the output from commands
executed by cmd.exe is encrypted before it is uploaded to the cloud. The key
used for encryption is the same as the one used to decrypt commands.

We saw one case where MegaCreep was deployed using a loader,
WLAN-AutoConfig.exe. The main code for the backdoor was placed in a DLL file,
MainZero.dll, and other routines that communicate with Mega were placed in
another DLL, MagLibrary.dll. Figure 9 shows the code in the loader that calls
MainZero.

Figure 9. Code for MegaCreep’s loader

FLIPCREEP

FlipCreep is another previously undocumented backdoor written in C# that has a
very similar flow of execution as the other backdoors that we have described: it
reads commands from orders.txt – a text file stored on an FTP server operated by
POLONIUM – and can upload or download files from the server. The commands that
FlipCreep can process are the same as the other backdoors, with the following
considerations:

* The commands upload and download do the opposite of what’s expected. We don’t
know if this was a mistake, but upload actually downloads files from the FTP
server to the victim, and download uploads files. Both take two arguments, as
was the case in MegaCreep. Figure 10 shows part of the code that uploads
files; we can see that it looks for the string download.
* There is a command ftpversion that uploads the version of the backdoor
(hardcoded) to a file ver.txt on the FTP server, in the root folder for the
target.

Figure 10. Part of the FlipCreep code to upload files

FlipCreep creates a folder with the username of the target on the FTP server,
along with these subfolders:

* Files: stores files uploaded from the victims
* orders: stores output from commands executed with cmd.exe

Persistence is achieved in the same way as was described for DeepCreep. As for
string obfuscation, we’ve seen one sample with ROT13 obfuscation.

TECHNOCREEP

TechnoCreep is a previously undocumented C# backdoor that communicates with a
C&C server via TCP sockets. In this case, commands are not read from a file, but
received in an exchange of messages. The first message is sent by the backdoor
and contains initial information about the victim, in the format
<PC_NAME>#<USERNAME>#<LIST_IP>#<LIST_OTHER>#<OS>

<LIST_IP> is a list of IP addresses that are resolved for the hostname of the
victim, separated by /. The list is obtained by calling Dns.GetHostByName and
applying a regular expression for IP addresses. All the other elements that
don’t match the regular expression are sent as <LIST_OTHER> to the C&C server;
note that in the most common scenario this list will be empty.

TechnoCreep receives commands in an infinite loop. The list of commands is shown
in Table 3.

Table 3. List of commands supported by TechnoCreep

CommandDescription uploadUploads a file on the victim’s computer to the C&C
server. The path of the file to upload is received in a separate message. If the
file exists, the backdoor sends Exist, to which the server replies start or
stop. If start is received, the size of the file is sent. Finally, the file is
sent to the server as raw bytes. If the message is stop, nothing is done. If the
specified file doesn’t exist, NotE is sent to the server. downloaddownload
Downloads a file from the C&C server. The path where the file will be saved on
the victim’s computer is received in a separate message. If NotE is received
instead, the process stops. If the path is an absolute path, and the parent
folder doesn’t exist, then the backdoor sends NOT. Otherwise, it sends Exists,
to which the server replies by sending the size of the file. Then the backdoor
sends ok, sleeps for 1 second, and then receives the file as raw bytes.
Execute with cmd.exeWhen neither of the previous commands are received, the
message is taken as a command to be executed with cmd.exe. The output is sent to
the server.

TechnoCreep persists by copying its executable to the Startup folder, as shown
in Figure 11. Identical code can also be found in some versions of DeepCreep.
Note that no LNK files are used in this method.

Figure 11. TechnoCreep code establishing persistence

PAPACREEP

PapaCreep is a previously undocumented custom backdoor written in C++ that can
receive and execute commands from a remote server via TCP sockets. First seen in
September 2022, this is the first backdoor used by POLONIUM that was not written
in C# or PowerShell.

PapaCreep is a modular backdoor; its code has been divided in various
components, some of them with minimal functionalities. We can summarize the main
components as:

* Executive: looks for a file with commands and executes them with cmd.exe. The
output is saved to a file.
* Mailman: communicates with a C&C server to receive commands and writes them
to a file. It also sends the file with output from commands to the C&C
server.
* CreepyUp: uploads any file to the C&C server.
* CreepyDown: downloads any file from the C&C server.

The Executive and Mailman components run independently from each other and are
even persisted with separate scheduled tasks in a compromised system.
Communication with the remote server uses raw TCP sockets, but the information
that is sent and received by the backdoor is contained in HTML code (with a fake
HTTP header). Figure 12 shows that the header is hardcoded in the backdoor, and
Content-length is always 1024. Note that Content-Type is text/-html, which is
not a normal value.

Figure 12. Hardcoded HTTP header used by the PapaCreep backdoor

The Mailman component initiates communication with the C&C server by sending
<PC_NAME>-<USERNAME> (base64 encoded). It then starts two threads: one of them
receives commands from the server and the other one sends any available output
from the execution of commands. Delimiters are used for both sending and
receiving: code#s and code#f are used to mark the start and end of the data. An
example of a message sent to the server with the output of a dir command is
shown in Figure 13.

Figure 13. Example of a message sent to the C&C server, and the decoded content

If the content is bigger than 1024 bytes, more than one message will be
transmitted. In that case, the first message will have the start delimiter and
the final message will have the end delimiter. The IP address and port of the
C&C server is read from a text file, yetty.dll, with the format
<IP_address>::<port> (base64 encoded).

The CreepyUp and CreepyDown modules are not part of the main flow of execution
of the backdoor and can be executed on demand. They are standalone command line
tools that take two arguments, a local and a remote file. Curiously,
CreepyDown’s filename in compromised computers is UCLN.exe and CreepyUp is
DCLN.exe. This is similar as the commands upload and download in the FlipCreep
backdoor that do the opposite of what is expected. Both CreepyUp and CreepyDown
read the server information from the yetty.dll text file.

OTHER MODULES

To spy on their victims, POLONIUM uses several other modules on top of their
backdoors, including reverse shell modules and a module for creating a tunnel.
ESET researchers have observed many variants of the modules that the group uses
for taking screenshots. As for keyloggers, POLONIUM has used both custom and
open-source ones. The group’s custom keylogger monitors keystrokes and clipboard
contents and supports both Hebrew and Arabic keyboards. POLONIUM has also used a
simple module that uses AForge.NET to take a snapshot from the webcam and save
it in the TEMP folder.

NETWORK INFRASTRUCTURE

POLONIUM didn’t use domain names in any of the samples that we analyzed, only IP
addresses. Most of the servers are dedicated VPS, likely purchased rather than
compromised, hosted at HostGW. There is one special case: IP address
45.80.149[.]154 hosts erichmocanu.tv, which seems to be a legitimate website. It
is likely that POLONIUM used this server before it was assigned to its current
owner.

CONCLUSION

POLONIUM is a very active threat actor with a vast arsenal of malware tools and
is constantly modifying them and developing new ones. A common characteristic of
several of the group’s tools is the abuse of cloud services such as Dropbox,
Mega and OneDrive for C&C communications.

Intelligence and public reports about POLONIUM are very scarce and limited,
likely because the group’s attacks are highly targeted, and the initial
compromise vector is not known. ESET Research will continue to track its
activities and document its attacks.

For any inquiries about our research published on WeLiveSecurity, please contact
us at threatintel@eset.com.

ESET Research also offers private APT intelligence reports and data feeds. For
any inquiries about this service, visit the ESET Threat Intelligence page.

IOCS

A comprehensive list of Indicators of Compromise and samples can be found in our
GitHub repository.

SHA-1FilenameESET detection nameDescription
3F4E3C5301752D39DAF97384CCA47564DA1C3314dnw.exePowerShell/Agent.GJCreepyDrive
CC820ED9A23084104807941B76A2679243BA357CRequest.exePowerShell/Agent.HFCreepySnail
03A35A0167684E6CCCA641296969972E49B88D60DropBox.exeMSIL/Agent.DPTDeepCreep
4E7DBFF20995E97190536B284D7E5CC65922FD55Mega.exeMSIL/Agent.DPTMegaCreep
994EAD7666A67E33C57A51EF98076D41AABB7FB7Regestries.exeMSIL/Tiny.DGFlipCreep
79DE0AF2F10F8D39A93EED911D4048D87E3C8A1CWinUpdate.dllMSIL/Agent.DYUTechnoCreep
2B9444B0E1747EB4F482D29C9DE27D07CCE55A76WindowsSartup22.exeWin64/HackTool.NetHacker.GPapaCreep
F26F43AD2E2980B96497242A3F30CA003E5CF54CWinSc.exeMSIL/Tiny.DGScreenshots module
F41E27C4C863821DE6CAD91CA7E77CD6CA6CE5D34kyro3fs.dllMSIL/Spy.Keylogger.FGCKeylogger
module 94E75BA7C4476AFDACF4B39E403379C5ECD1BED6Device.exeMSIL/Spy.Tiny.CZWebcam
module B87CC5269A5DF5CF093F8D28DF78952F662162B6OnDrive.exeMSIL/Agent.DTPReverse
shell module
809048A40274350BD0C453E49D8C1F7D32397164Rehost.exeMSIL/Spy.Tiny.DAExfiltration
module 43E3C3752A15D0BDE7135E1B52F1DE397B5314B5Microsoft Malware
Protection.exeMSIL/Agent.DYVTunnels module

NETWORK

IPFirst seenDetails 37.120.233[.]892022-09-12PapaCreep C&C
45.80.148[.]119:80802022-05-21Reverse shell server 45.80.148[.]167:21
45.80.148[.]167:5055
2021-11-27Exfiltration 45.80.148[.]186:80802022-01-08Reverse shell server
45.80.149[.]22:80802022-05-13CreepySnail C&C
45.80.149[.]108:80802022-02-11CreepySnail C&C
45.80.149[.]68:630472022-03-01CreepySnail C&C
45.80.149[.]71:802022-03-11CreepySnail C&C
185.244.129[.]79:630472022-03-01CreepySnail C&C 45.80.149[.]154:1302
45.80.149[.]154:212021-09-23TechnoCreep C&C
Exfiltration 185.244.129[.]216:50552021-11-24Exfiltration
146.70.86[.]6:14332022-05-26Exfiltration
195.166.100[.]23:50552022-01-05Exfiltration
45.137.148[.]7:21212021-10-29FlipCreep C&C
185.203.119[.]99:80802022-02-12Reverse Shell 212.73.150[.]1742022-02-24Tunneling
94.156.189[.]1032022-04-20Tunneling 51.83.246[.]732022-03-12Tunneling

MITRE ATT&CK TECHNIQUES

This table was built using version 11 of the MITRE ATT&CK framework.

TacticIDNameDescription Resource DevelopmentT1583.003Acquire Infrastructure:
Virtual Private ServerPOLONIUM has acquired various servers for C&C and also for
storing exfiltrated files. T1587.001Develop Capabilities: MalwarePOLONIUM has
developed at least six backdoors and several other malicious modules.
T1588.001Obtain Capabilities: MalwarePOLONIUM has used a publicly available
keylogger. ExecutionT1059.001Command and Scripting Interpreter:
PowerShellPOLONIUM has used the CreepySnail and CreepyDrive PowerShell backdoors
in their attacks. T1059.003Command and Scripting Interpreter: Windows Command
ShellDeepCreep, MegaCreep, FlipCreep and TechnoCreep use cmd.exei to execute
commands in a compromised computer. T1129Shared ModulesDeepCreep and MegaCreep
have their code divided into small DLLs, which are loaded both statically and
dynamically. PersistenceT1547.009Boot or Logon Autostart Execution: Shortcut
ModificationPOLONIUM’s backdoors persist by writing shortcuts to the Windows
Startup folder. T1053.005Scheduled Task/Job: Scheduled TaskDeepCreep, MegaCreep
and FlipCreep create scheduled tasks for persistence. Defense
EvasionT1140Deobfuscate/Decode Files or InformationDeepCreep and MegaDeep use
AES encryption to obfuscate commands and login credentials stored in local files
on the victim’s computer. T1070.004Indicator Removal on Host: File
DeletionPOLONIUM’s exfiltration modules delete screenshot files or keystroke
logs from a compromised host after they are exfiltrated. T1036.005Masquerading:
Match Legitimate Name or LocationPOLONIUM has used filenames such as Mega.exei
or DropBox.exei for its backdoors, to make them look like legitimate binaries.
T1218.004System Binary Proxy Execution: InstallUtilPOLONIUM has used
InstallUtil.exei to execute DeepCreep. T1083File and Directory
DiscoveryPOLONIUM’s custom exfiltrator module builds a listing of files for any
given folder. T1057Process DiscoveryDeepCreep, MegaCreep and FlipCreep look for
running processes and kill other instances of themselves. T1082System
Information DiscoveryTechnoCreep and POLONIUM’s reverse shell module send
information such as computer name, username, and operating system to a remote
server, in order to identify their victims. T1016System Network Configuration
DiscoveryTechnoCreep sends a list of IP addresses associated with a victim’s
computer. T1033System Owner/User DiscoveryPOLONIUM has executed whoami.exei to
identify the logged-on user. CollectionT1560.002Archive Collected Data: Archive
via LibraryDeepCreep, MegaCreep and FlipCreep use .NET’s ZipFile class to
archive collected data. T1115Clipboard DataPOLONIUM’s custom keylogger retrieves
clipboard data from compromised computers. T1005Data from Local SystemPOLONIUM’s
exfiltrator module collects files from a compromised system. T1056.001Input
Capture: KeyloggingPOLONIUM has used custom and publicly available keyloggers.
T1113Screen CapturePOLONIUM has used custom modules for taking screenshots.
T1125Video CapturePOLONIUM has used a custom module to capture images using the
compromised computer’s webcam. Command and ControlT1071.001Application Layer
Protocol: Web ProtocolsCreepySnail and POLONIUM’s file exfiltrator modules use
HTTP communication with the C&C server. T1071.002Application Layer Protocol:
File Transfer ProtocolsFlipCreep and POLONIUM’s file exfiltrator modules use FTP
communication with the C&C server. T1132.001Data Encoding: Standard
EncodingCreepySnail, CreepyDrive and some of POLONIUM’s reverse shell modules
use base64-encoded commands to communicate with the C&C server.
T1573.001Encrypted Channel: Symmetric CryptographyDeepCreep and MegaCreep AES
encrypt commands and their output. T1095Non-Application Layer
ProtocolTechnoCreep and POLONIUM’s reverse shell module use TCP.
T1571Non-Standard PortPOLONIUM has used non-standard ports, such as 5055 or
63047, for HTTP. T1572Protocol TunnelingPOLONIUM’s tunnels module uses the Plink
utility to create SSH tunnels. T1102.002Web Service: Bidirectional
CommunicationPOLONIUM has used cloud platforms such as OneDrive, Dropbox, and
Mega to send commands and store the output. ExfiltrationT1041Exfiltration Over
C2 ChannelDeepCreep, MegaCreep, FlipCreep and TechnoCreep exfiltrate files over
the C&C channel via uploadi commands. T1567.002Exfiltration Over Web Service:
Exfiltration to Cloud StoragePOLONIUM has used OneDrive, Dropbox, and Mega cloud
storage to store stolen information.

Matías Porolli
11 Oct 2022 - 11:30AM

SIGN UP TO RECEIVE AN EMAIL UPDATE WHENEVER A NEW ARTICLE IS PUBLISHED IN OUR
UKRAINE CRISIS – DIGITAL SECURITY RESOURCE CENTER

Submit

NEWSLETTER

Submit

www.welivesecurity.com Open in urlscan Pro 2a02:26f0:4700::210:24a Public Scan

Form analysis 5 forms found in the DOM

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

GET https://www.welivesecurity.com/

POST https://enjoy.eset.com/pub/rf

POST https://enjoy.eset.com/pub/rf

Text Content

www.welivesecurity.com Open in urlscan Pro
2a02:26f0:4700::210:24a Public Scan

Form analysis
5 forms found in the DOM