Pierluigi Paganini
October 13, 2022
POLONIUM APT focused only on Israeli targets, it launched attacks against more than a dozen organizations in various industries, including engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.
Microsoft MSTIC researchers believe that the attackers were coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and TTPs. This circumstance is confirmed by revelations that emerged in the last couple of years that the Iranian government is using cyber mercenaries for its operations.
MSTIC has observed POLONIUM active on or targeting multiple organizations that were previously compromised by Iran-linked MuddyWater APT (aka MERCURY).
According to Microsoft, POLONIUM is an APT group based in Lebanon that coordinates its activities with other actors affiliated with the Iranian Ministry of Intelligence and Security.
Now ESET researchers reported that the APT group has used at least seven different custom backdoors since September 2021 against Israeli targets.
Most of the attacks were spotted on September 2022, and the custom tools developed by the group allowed them to spy on the victims.
The tools allow the attackers to take screenshots, log keystrokes, spy via the webcam, open reverse shells, exfiltrate files, and more.
Below is the list of hacking tools employed in the attacks:
The custom backdoors abuse popular cloud services such as Dropbox, OneDrive, and Mega for command and control infrastructure.
“ESET researchers recently analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group. ESET named the five previously undocumented backdoors with the suffix “-Creep.”” reads the report published by ESET. “According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022.”
Below is the timeline of observed backdoors deployed by the threat actors:
In the most recent attacks, the group employed CreepyDrive, MegaCreep implants along with the PowerShell backdoor CreepySnail.
“The numerous versions and changes POLONIUM introduced into its custom tools show a continuous and long-term effort to spy on the group’s targets. ESET can infer from their toolset that they are interested in collecting confidential data from their targets. The group doesn’t seem to engage in any sabotage or ransomware actions,” said ESET researcher Matías Porolli.
In September, ESET observed the threat actors using a previously undocumented custom backdoor, dubbed PapaCreep. The C++ backdoor can receive and execute commands from a remote server via TCP sockets. The experts pointed out that PapaCreep is the first backdoor used by POLONIUM APT that was not written in C# or PowerShell.
PapaCreep is a modular malware, below are its main components:
The experts noticed that the group exclusively used IP addresses in the code of the analyzed samples.
ESET reported that most of the servers are dedicated VPS, likely purchased rather than compromised, hosted at HostGW.
Despite the researchers have analyzed multiple artifacts used in the attacks, the initial compromise vector is yet to be discovered.
“POLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega and OneDrive for C&C communications.” concludes the report. “Intelligence and public reports about POLONIUM are very scarce and limited, likely because the group’s attacks are highly targeted, and the initial compromise vector is not known.”
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, APT)
[adrotate banner=”5″]
[adrotate banner=”13″]
