POLONIUM Hacking Group Targets Israel with Malware
Details on the Group’s Cyberespionage Campaign.
A previously unknown malware used by the hacking group POLONIUM has been uncovered by security researchers. The group targets Israeli engineering, IT, legal, communications, marketing, and insurance industries with a wide variety of custom malware. At the time of writing, the group’s campaigns were still going strong.
The Malware Is Used for Cyberespionage
As per BleepingComputer, POLONIUM the malware is not intended for ransomware, data wiping, or other processes that might damage the targeted corporations’ files, but for cyberespionage.
The hackers have used at least seven variants of custom backdoors since September 2021, four of which, “TechnoCreep”, “FlipCreep”, “MegaCreep” and “PapaCreep”, being undocumented by security researchers. Some of the backdoors were deployed to abuse cloud services such as OneDrive, Mega, and Dropbox, to act as command and control (C2) servers, while others utilized standard TCP connections to either remote C2 servers or get commands to execute from files hosting on FTP servers.
The most recent backdoor, PapaCreep, which was spotted earlier this year in September, is the first one in C++. PapaCreep is also modular. It divides the tasks of command execution, C2 communication, file upload, and file download into manageable units.
The capacity to collect keystrokes, screenshot the desktop, take pictures with the webcam, exfiltrate files from the host, install new malware, and run commands on the compromised device are just a few of the dangerous activities that backdoors are capable of.
Besides the “Creepy” variants, POLONIUM uses a variety of open-source tools, custom or off-the-shelf, which are used for reverse proxying, screenshot taking, keylogging, and webcam snapping.
A Slippery Group
It is currently unclear if POLONIUM’s tactics were used to compromise networks, but it was previously reported that the group used product flaws found in VPNs to breach networks. The private infrastructure of the threat actor is hidden behind VPS and legitimate compromised websites, making it difficult to map the activity of the group.
POLONIUM is a sophisticated group that is being highly targeted. Their attention is fixed on Israeli enterprises but this could change at any moment based on the group’s interests.