According to ESET, POLONIUM is a cyber espionage group documented for the first time by the Microsoft Threat Intelligence Center (MSTIC) in June 2022. The MSTIC’s assessment is that POLONIUM is a Lebanon-based task force, coordinating its activities with other actors affiliated with the Iranian Ministry of Intelligence and Security (MOIS).
According to ESET telemetry POLONIUM is focused solely on Israeli targetshas attacked more than a dozen organizations in Israel since at least September 2021 and the most recent actions of the group were observed in September 2022. The sectors targeted by this group are the engineering, information technology, law, communications, trademarks and marketing, media, insurance and social services.
ESET’s findings, which describe the tactics of this group and include details about a series of previously undocumented backdoors, were presented at the conference in late September. Virus Bulletin 2022.
Key Research Points
According to ESET telemetry, the group has used at least seven different custom backdoors since September 2021, which are currently still active. In addition, the group has developed custom tools to do screenshots, record keystrokes, spy via webcam, open reverse shells, exfiltrate files, etc..
The many versions and changes that POLONIUM made to its custom tools show a long-term and ongoing effort to spy on the group’s targets. Although it has not been observed what commands the operators executed on the compromised machines, ESET researchers can deduce from their toolset that are interested in collecting sensitive data from their targets. The group does not appear to be involved in sabotage or ransomware actions.
As can be seen from the graph, the POLONIUM toolkit consists of seven custom backdoors: CreepyDrivewhich abuses OneDrive and Dropbox cloud services for C&C; CreepySnailwhich executes the commands received from the attackers’ own infrastructure; DeepCreep Y MegaCreep, which use the file storage services Dropbox and Mega respectively; Y FlipCreep, TechnoCreep Y papacreep, which receive orders from the attacker’s servers. The group has also used various custom modules to spy on their targets.
POLONIUM is an active group constantly introducing modifications to their custom tools. The ESET research team has observed more than 10 different malicious modules since they started tracking the group, most of them with several versions or with minor changes for a certain version. Some of the more interesting features of the group toolset are:
· Tool Abundance: ESET has observed seven different custom backdoors used by the group since September 2021, and also many other malicious modules to log keystrokes, take screenshots, execute commands, take webcam photos or exfiltrate files.
· custom tools: In several attacks carried out by this group over a short period of time, researchers have detected the same component with minor changes. In other cases, a module has been seen, coded from scratch, that followed the same logic as some previous components. Only in a few cases have the group been seen to use publicly available tools or code. All this indicates that POLONIUM builds and maintains its own tools.
· cloud services: The group abuse common cloud services like Dropbox, OneDrive and Mega for C&C communications (receive commands and exfiltrate data).
· small components: The most of the malicious modules in the group are small, with limited functionality. In one of the cases, the attackers used one module to take screenshots and another to upload them to the C&C server. Similarly, they like to split the code of their backdoors, distributing the malicious functionality into several small DLLs, perhaps hoping that defenders or researchers won’t see the entire attack chain.