"POLONIUM APT Targets Israel With a New Custom Backdoor Dubbed PapaCreep"

Since at least September 2021, an Advanced Persistent Threat (APT) group known as POLONIUM has used custom backdoors in attacks against Israeli entities. The POLONIUM APT group targeted only Israeli targets and launched attacks on more than a dozen organizations in engineering, information technology, law, communications, branding and marketing, media, insurance, and social services. Based on victim overlap, tactics, techniques, and procedures (TTP), researchers at the Microsoft Threat Intelligence Center (MSTIC) believe the attackers were coordinated with other actors affiliated with Iran's Ministry of Intelligence and Security (MOIS). MSTIC has observed POLONIUM operating on or targeting a number of organizations that had previously been compromised by the Iran-linked MuddyWater APT group, also known as MERCURY. According to ESET researchers, the POLONIUM APT group has used at least seven different custom backdoors against Israeli targets. Most of the attacks were discovered in September 2022, and the group's custom tools allowed them to spy on the victims. Attackers have used their tools to take screenshots, log keystrokes, spy via webcam, open reverse shells, exfiltrate files, and more. The threat actors have been observed employing a previously unknown custom backdoor called PapaCreep. Transmission Control Protocol (TCP) sockets allow the C++ backdoor to receive and execute commands from a remote server. PapaCreep is the first POLONIUM APT backdoor that was not written in C# or PowerShell. This article continues to discuss the targets, tools, and tactics of the POLONIUM APT group.

Security Affairs reports "POLONIUM APT Targets Israel With a New Custom Backdoor Dubbed PapaCreep"