ESET researchers analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group. According to ESET telemetry, POLONIUM has targeted more than a dozen organizations in Israel since at least September 2021, with the group’s most recent actions being observed in September 2022.
POLONIUM’s toolset consists of seven custom backdoors: CreepyDrive, which abuses OneDrive and Dropbox cloud services for C&C; CreepySnail, which executes commands received from the attackers’ own infrastructure; DeepCreep and MegaCreep, which make use of Dropbox and Mega file storage services respectively; and FlipCreep, TechnoCreep, and PapaCreep, which receive commands from attacker’s servers. The group has also used several custom modules to spy on its targets.
While ESET doesn’t report how the group gained initial access to the targeted systems, some of the victims’ Fortinet VPN account credentials were leaked in September 2021 and were made available online. As such, it is possible that the attackers gained access to the victims’ internal networks by abusing those leaked VPN credentials.
https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/