POLONIUM hackers unleashed numerous weapons to target Israel

October 20, 2022
POLONIUM Hackers Israel CREEP Malware Cyberespionage

The Lebanese hacking group POLONIUM has deployed multiple cyber weapons and malware in its arsenal to attack Israel-based organisations. The more threatening part of these campaigns is that the Lebanon-based threat group only prioritises espionage attacks, meaning they are not interested in data wiping or encryption attacks.

According to researchers, the POLONIUM group used multiple especially-crafter backdoors, against various Israeli organisations such as engineering, the legal sector, insurance, information technology, social service, marketing, and communication.

Since last year, the group has utilised more than five tools to execute their attacks. The four identified malware tools are the TechnoCreep, FlipCreep, MegaCreep, and PapaCreep. The group also uses open-source tools like off-the-shelf tools and custom-built software for information-gathering missions such as keylogging, web recording, reverse proxy, and taking screenshots.

Researchers noted that the alleged infrastructure used by the adversaries is either genuine websites targeted by the group, or a private network secured behind VPSs.

Moreover, the researchers claim that the POLONIUM operators acquired the initial access to the target networks by taking advantage of the VPN account credentials of Fortinet.

 

The POLONIUM has its arsenal of CREEP malware.

 

Based on reports, the POLONIUM group has several backdoors with a signature ‘Creep’ word and different capabilities. The first one is DeepCreep, a C# backdoor that accepts commands coded in a text file kept in DropBox accounts. Next is the CreepyDrive PowerShell backdoor that utilises public cloud services such as Dropbox and OneDrive for command and control.

Another PowerShell backdoor used by the actors is the CreepySnail which can run arbitrary commands received from the operators on the compromised device. In addition, there is also the MegaCreep backdoor that also accepts orders that are written in a text file kept in the Mega file storage services.

Other researchers also believed that the group has several spying tools that could be deployed for more espionage attacks.

The group has showcased its ability to upgrade its arsenal if given the time. In addition, the group’s exploitation of Dropbox, OneDrive, and Mega proves that they could perform massive attacks whenever needed. Fortunately, the POLONIUM operators are locked in targeting Israeli entities, but experts noted that the entire world should keep tabs on this group of hackers.

About the author

Leave a Reply