ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.
Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage.
Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information technology, law, marketing, media, and social services entities in Israel.
An active threat that constantly updates its toolset, Polonium has been using seven different backdoors and custom tools slightly modified between attacks, and has been abusing cloud services for command and control (C&C) communications.
“We have seen more than 10 different malicious modules since we started tracking the group, most of them with various versions or with minor changes for a given version,” ESET explains.
The group relies on small modules with limited functionality and even divide the code in their seven backdoors – namely CreepyDrive, CreepySnail, DeepCreep, MegaCreep, FlipCreep, TechnoCreep, and PapaCreep – to hide the full infection chain.
In use since February 2022, CreepyDrive and CreepySnail are PowerShell backdoors that support command execution and which have been detailed by Microsoft in June. The five remaining backdoors in Polonium’s arsenal are previously undocumented.
DeepCreep is a C# backdoor in use since October 2021, which can retrieve commands from text files on Dropbox, can upload and download files to and from the cloud service, and achieves persistence by placing a shortcut file in the Startup folder and by creating a scheduled task.
MegaCreep, which Polonium has been using since April 2022, retrieves commands from text files stored in Mega cloud storage. The backdoor appears to be a newer version of DeepCreep, reusing some of its code.
FlipCreep, a C# backdoor that reads commands from a text file on an FTP server, and TechnoCreep, which relies on TCP sockets for C&C communication, support similar file transfer capabilities as the other malware families and have been in use since September 2021.
Written in C++, PapaCreep is the most recent backdoor in Polonium’s arsenal, first seen in September 2022. Featuring a modular design, it uses different components to read commands from a file, to communicate with the C&C server, to upload files to the C&C, and to download files from the server.
The cyberespionage group uses additional modules on top of these backdoors, including reverse shells and a tunneling module, as well as custom and open source keyloggers.