A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021.
The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said.
Polonium is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that's believed to be based in Lebanon and is known to exclusively strike Israeli targets.
Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
ESET's latest discovery of five more previously undocumented backdoors brings into focus an active espionage-oriented threat actor that's constantly refining and retooling its malware arsenal.
"The numerous versions and changes Polonium introduced into its custom tools show a continuous and long-term effort to spy on the group's targets," ESET researcher MatÃas Porolli said. "The group doesn't seem to engage in any sabotage or ransomware actions."
The list of bespoke hacking tools is as follows -
PapaCreep, spotted as recently as September 2022, is a modular malware that contains four different components that are designed to run commands, receive and send commands and their outputs, and upload and download files.
The Slovak cybersecurity firm said it also uncovered several other modules responsible for logging keystrokes, capturing screenshots, taking photos via webcam, and establishing a reverse shell on the compromised machine.
Despite the abundance of malware utilized in the attacks, the initial access vector used to breach the networks is currently unknown, although it's suspected that it may have involved the exploitation of VPN flaws.
"Most of the group's malicious modules are small, with limited functionality," Porolli said. "They like to divide the code in their backdoors, distributing malicious functionality into various small DLLs, perhaps expecting that defenders or researchers will not observe the complete attack chain."
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.
source
https://1home.streamstorecloud.com/researchers-uncover-custom-backdoors-and-spying-tools-used-by-polonium-hackers-the-hacker-news/?feed_id=8036&_unique_id=638143aa755e3
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.