Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers
A threat actor tracked as Polonium has been linked to over a dozen highly targeted attacks aimed at Israelian entities with seven different custom backdoors since at least September 2021.
The intrusions were aimed at organizations in various verticals, such as engineering, information technology, law, communications, branding and marketing, media, insurance, and social services, cybersecurity firm ESET said.
Polonium is the chemical element-themed moniker given by Microsoft to a sophisticated operational group that’s believed to be based in Lebanon and is known to exclusively strike Israeli targets.
Activities undertaken by the group first came to light earlier this June when the Windows maker disclosed it suspended more than 20 malicious OneDrive accounts created by the adversary for command-and-control (C2) purposes.
Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail.
ESET’s latest discovery of five more previously undocumented backdoors brings into focus an active espionage-oriented threat actor that’s constantly refining and retooling its malware arsenal.