Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Seven ‘Creepy’ Backdoors Used by Lebanese Cyberspy Group in Israel Attacks

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

ESET has published an analysis of the seven backdoors that Lebanese advanced persistent threat (APT) actor Polonium has been using since September 2021 in attacks targeting Israeli organizations.

Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage.

Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information technology, law, marketing, media, and social services entities in Israel.

An active threat that constantly updates its toolset, Polonium has been using seven different backdoors and custom tools slightly modified between attacks, and has been abusing cloud services for command and control (C&C) communications.

“We have seen more than 10 different malicious modules since we started tracking the group, most of them with various versions or with minor changes for a given version,” ESET explains.

The group relies on small modules with limited functionality and even divide the code in their seven backdoors – namely CreepyDrive, CreepySnail, DeepCreep, MegaCreep, FlipCreep, TechnoCreep, and PapaCreep – to hide the full infection chain.

In use since February 2022, CreepyDrive and CreepySnail are PowerShell backdoors that support command execution and which have been detailed by Microsoft in June. The five remaining backdoors in Polonium’s arsenal are previously undocumented.

Advertisement. Scroll to continue reading.

DeepCreep is a C# backdoor in use since October 2021, which can retrieve commands from text files on Dropbox, can upload and download files to and from the cloud service, and achieves persistence by placing a shortcut file in the Startup folder and by creating a scheduled task.

Polonium Creep backdoors

MegaCreep, which Polonium has been using since April 2022, retrieves commands from text files stored in Mega cloud storage. The backdoor appears to be a newer version of DeepCreep, reusing some of its code.

FlipCreep, a C# backdoor that reads commands from a text file on an FTP server, and TechnoCreep, which relies on TCP sockets for C&C communication, support similar file transfer capabilities as the other malware families and have been in use since September 2021.

Written in C++, PapaCreep is the most recent backdoor in Polonium’s arsenal, first seen in September 2022. Featuring a modular design, it uses different components to read commands from a file, to communicate with the C&C server, to upload files to the C&C, and to download files from the server.

The cyberespionage group uses additional modules on top of these backdoors, including reverse shells and a tunneling module, as well as custom and open source keyloggers.

Related: Lebanese Threat Actor ‘Polonium’ Targets Israeli Organizations

Related: New Chinese Cyberespionage Group WIP19 Targets Telcos, IT Service Providers

Related: New Cyberespionage Group ‘Worok’ Targeting Entities in Asia

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...