Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Seven ‘Creepy’ Backdoors Used by Lebanese Cyberspy Group in Israel Attacks

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage.

Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information technology, law, marketing, media, and social services entities in Israel.

An active threat that constantly updates its toolset, Polonium has been using seven different backdoors and custom tools slightly modified between attacks, and has been abusing cloud services for command and control (C&C) communications.

“We have seen more than 10 different malicious modules since we started tracking the group, most of them with various versions or with minor changes for a given version,” ESET explains.

The group relies on small modules with limited functionality and even divide the code in their seven backdoors – namely CreepyDrive, CreepySnail, DeepCreep, MegaCreep, FlipCreep, TechnoCreep, and PapaCreep – to hide the full infection chain.

In use since February 2022, CreepyDrive and CreepySnail are PowerShell backdoors that support command execution and which have been detailed by Microsoft in June. The five remaining backdoors in Polonium’s arsenal are previously undocumented.

DeepCreep is a C# backdoor in use since October 2021, which can retrieve commands from text files on Dropbox, can upload and download files to and from the cloud service, and achieves persistence by placing a shortcut file in the Startup folder and by creating a scheduled task.

Advertisement. Scroll to continue reading.

Polonium Creep backdoors

MegaCreep, which Polonium has been using since April 2022, retrieves commands from text files stored in Mega cloud storage. The backdoor appears to be a newer version of DeepCreep, reusing some of its code.

FlipCreep, a C# backdoor that reads commands from a text file on an FTP server, and TechnoCreep, which relies on TCP sockets for C&C communication, support similar file transfer capabilities as the other malware families and have been in use since September 2021.

Written in C++, PapaCreep is the most recent backdoor in Polonium’s arsenal, first seen in September 2022. Featuring a modular design, it uses different components to read commands from a file, to communicate with the C&C server, to upload files to the C&C, and to download files from the server.

The cyberespionage group uses additional modules on top of these backdoors, including reverse shells and a tunneling module, as well as custom and open source keyloggers.

Related: Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: New Cyberespionage Group ‘Worok’ Targeting Entities in Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.