Commercial Cloud Storage Accounts are Used by Polonium for Command-and-Control
Israeli groups are being targeted by an Iranian-affiliated advanced persistent threat cell operating out of Lebanon.
The APT group known as Polonium targets businesses in a variety of industries. They include engineering, social services, law, branding, and information technology. It also targets businesses in the legal, media, insurance, and communications sectors.
The group has been targeting more than a dozen Israeli organizations since last fall, according to telemetry collected by cybersecurity company Eset. They include an operation discovered in September. After discovering the threat actor using OneDrive storage for command and control. Microsoft initially made note of the threat actor’s presence in June.
According to Eset’s research, the gang employs a variety of custom-coded backdoors that include Dropbox and Mega in addition to OneDrive. The backdoors, all of which are variations on the term “creep such as DeepCreep and MegaCreep. Make contact with the cloud storage accounts to gain access to text files so they may read and run commands. A Polonium FTP server is contacted by a backdoor variant known as FlipCreep to access a file called orders.txt.
Over the past ten years, Iranian state-sponsored hacking has become more prevalent, whether it be directly or via proxies. Iranian hackers may not be as skilled as their Chinese or Russian rivals. But they have still succeeded in their goals. These include a damaging strike against Albania earlier this year, and they have developed tools like a covert email inbox scraper.
Last Words
Polonium backdoors, according to Eset researchers, “perhaps anticipate that defenders or researchers will not see the whole attack chain,” by dispersing their functionality across small DLLs.
The threat actors may employ modules after installing a backdoor for tasks including keylogging, screenshotting, stealing files, and running commands.
However, according to Eset analysts, some of the victim’s Fortinet VPN account credentials were hacked in Sep’2021 and were posted online. It is yet unknown how the group acquires first access to the targeted systems.
