Heimdal
article featured image

Contents:

A previously unknown malware used by the hacking group POLONIUM has been uncovered by security researchers. The group targets Israeli engineering, IT, legal, communications, marketing, and insurance industries with a wide variety of custom malware. At the time of writing, the group’s campaigns were still going strong.

The Malware Is Used for Cyberespionage

As per BleepingComputer, POLONIUM the malware is not intended for ransomware, data wiping, or other processes that might damage the targeted corporations’ files, but for cyberespionage.

The hackers have used at least seven variants of custom backdoors since September 2021, four of which, “TechnoCreep”, “FlipCreep”, “MegaCreep” and “PapaCreep”, being undocumented by security researchers. Some of the backdoors were deployed to abuse cloud services such as OneDrive, Mega, and Dropbox, to act as command and control (C2) servers, while others utilized standard TCP connections to either remote C2 servers or get commands to execute from files hosting on FTP servers.

The most recent backdoor, PapaCreep, which was spotted earlier this year in September, is the first one in C++. PapaCreep is also modular. It divides the tasks of command execution, C2 communication, file upload, and file download into manageable units.

The capacity to collect keystrokes, screenshot the desktop, take pictures with the webcam, exfiltrate files from the host, install new malware, and run commands on the compromised device are just a few of the dangerous activities that backdoors are capable of.

Besides the “Creepy” variants, POLONIUM uses a variety of open-source tools, custom or off-the-shelf, which are used for reverse proxying, screenshot taking, keylogging, and webcam snapping.

A Slippery Group

It is currently unclear if POLONIUM’s tactics were used to compromise networks, but it was previously reported that the group used product flaws found in VPNs to breach networks. The private infrastructure of the threat actor is hidden behind VPS and legitimate compromised websites, making it difficult to map the activity of the group.

POLONIUM is a sophisticated group that is being highly targeted. Their attention is fixed on Israeli enterprises but this could change at any moment based on the group’s interests.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE