POLONIUM APT targets Israel with a new custom backdoor dubbed PapaCreep

An APT group tracked as Polonium employed custom backdoors in attacks aimed at Israelian entities since at least September 2021.

POLONIUM APT focused only on Israeli targets, it launched attacks against more than a dozen organizations in various industries, including engineering, information technology, law, communications, branding and marketing, media, insurance, and social services.

Microsoft MSTIC researchers believe that the attackers were coordinated with other actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap and TTPs. This circumstance is confirmed by revelations that emerged in the last couple of years that the Iranian government is using cyber mercenaries for its operations.

MSTIC has observed POLONIUM active on or targeting multiple organizations that were previously compromised by Iran-linked MuddyWater APT (aka MERCURY). 

According to Microsoft, POLONIUM is an APT group based in Lebanon that coordinates its activities with other actors affiliated with the Iranian Ministry of Intelligence and Security.

Now ESET researchers reported that the APT group has used at least seven different custom backdoors since September 2021 against Israeli targets.

Most of the attacks were spotted on September 2022, and the custom tools developed by the group allowed them to spy on the victims.

The tools allow the attackers to take screenshots, log keystrokes, spy via the webcam, open reverse shells, exfiltrate files, and more.

Below is the list of hacking tools employed in the attacks:

• CreepyDrive/CreepyBox – A PowerShell backdoor executes commands included in a text file stored on OneDrive or Dropbox.
• CreepySnail – A PowerShell backdoor that receives attackers’ own infrastructure
• DeepCreep – A C# backdoor that executes commands from a text file stored in Dropbox accounts and exfiltrates data
• MegaCreep – A C# backdoor that executes commands from a text file stored in Mega accounts and exfiltrates data
• FlipCreep – A C# backdoor that reads commands from a text file stored in an FTP server operated by the attackers.
• TechnoCreep – A C# backdoor that communicates with the C2 server via TCP sockets and exfiltrate data.
• PapaCreep – A C++ backdoor that can receive and execute commands from a remote server via TCP sockets

The custom backdoors abuse popular cloud services such as Dropbox, OneDrive, and Mega for command and control infrastructure.

“ESET researchers recently analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group. ESET named the five previously undocumented backdoors with the suffix “-Creep.”” reads the report published by ESET. “According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022.”

Below is the timeline of observed backdoors deployed by the threat actors:

In the most recent attacks, the group employed CreepyDrive, MegaCreep implants along with the PowerShell backdoor CreepySnail.

“The numerous versions and changes POLONIUM introduced into its custom tools show a continuous and long-term effort to spy on the group’s targets. ESET can infer from their toolset that they are interested in collecting confidential data from their targets. The group doesn’t seem to engage in any sabotage or ransomware actions,” said ESET researcher Matías Porolli.

In September, ESET observed the threat actors using a previously undocumented custom backdoor, dubbed PapaCreep. The C++ backdoor can receive and execute commands from a remote server via TCP sockets. The experts pointed out that PapaCreep is the first backdoor used by POLONIUM APT that was not written in C# or PowerShell.

PapaCreep is a modular malware, below are its main components:

• Executive: looks for a file with commands and executes them with cmd.exe. The output is saved to a file.
• Mailman: communicates with a C&C server to receive commands and writes them to a file. It also sends the file with output from commands to the C&C server.
• CreepyUp: uploads any file to the C&C server.
• CreepyDown: downloads any file from the C&C server.

The experts noticed that the group exclusively used IP addresses in the code of the analyzed samples.

ESET reported that most of the servers are dedicated VPS, likely purchased rather than compromised, hosted at HostGW.

Despite the researchers have analyzed multiple artifacts used in the attacks, the initial compromise vector is yet to be discovered.

“POLONIUM is a very active threat actor with a vast arsenal of malware tools and is constantly modifying them and developing new ones. A common characteristic of several of the group’s tools is the abuse of cloud services such as Dropbox, Mega and OneDrive for C&C communications.” concludes the report. “Intelligence and public reports about POLONIUM are very scarce and limited, likely because the group’s attacks are highly targeted, and the initial compromise vector is not known.” 

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, APT)

[adrotate banner=”5″]

[adrotate banner=”13″]