Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM .
The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts.
POLONIUM activity has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.
Observed Activity C2 POLONIUM
POLONIUM has also been observed deploying a custom PowerShell implant detected as Backdoor:PowerShell/CreepySnail.B!dha.
The CreepySnail PowerShell implant, once deployed on a target network, attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration.
This has also been observed dropping a secondary payload via their OneDrive implant. It used a common SSH tool for automating interactive sign-ins called plink to set up a redundant tunnel from the victim environment to the attacker-controlled infrastructure.
Recommended customer actions by microsoft for POLONIUM activity
- Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion.
- Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.365.40.0 or later, or ensure that cloud protection is turned on, to detect the related indicators.
- Block in-bound traffic from IPs specified in the “Indicators of compromise” table.
- Review all authentication activity for remote access infrastructure (VPNs), with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
- Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.
- For customers that have relationships with service providers, review and audit partner relationships to minimize any unnecessary permissions between your organization and upstream providers.
- Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.
Indicators of compromise (IOCs)
Indicator | Type | Description |
135[.]125[.]147[.]170:80 | IPv4 address | C2 for POLONIUM CreepySnail implant |
185[.]244[.]129[.]79:63047 | IPv4 address | C2 for POLONIUM CreepySnail implant |
185[.]244[.]129[.]79:80 | IPv4 address | C2 for POLONIUM CreepySnail implant |
45[.]80[.]149[.]108:63047 | IPv4 address | C2 for POLONIUM CreepySnail implant |
45[.]80[.]149[.]108:80 | IPv4 address | C2 for POLONIUM CreepySnail implant |
45[.]80[.]149[.]57:63047 | IPv4 address | C2 for POLONIUM CreepySnail implant |
45[.]80[.]149[.]68:63047 | IPv4 address | C2 for POLONIUM CreepySnail implant |
45[.]80[.]149[.]71:80 | IPv4 address | C2 for POLONIUM CreepySnail implant |
185[.]244[.]129[.]109 | IPv4 address | C2 for POLONIUM plink tunnels |
172[.]96[.]188[.]51 | IPv4 address | C2 for POLONIUM plink tunnels |
51[.]83[.]246[.]73 | IPv4 address | C2 for POLONIUM plink tunnels |
Trojan:PowerShell/CreepyDrive.A!dha | Tool | Custom implant signature |
Trojan:PowerShell/CreepyDrive.B!dha | Tool | Custom implant signature |
Trojan:PowerShell/CreepyDrive.C!dha | Tool | Custom implant signature |
Trojan:PowerShell/CreepyDrive.D!dha | Tool | Custom implant signature |
Trojan:PowerShell/CreepyDrive.E!dha | Tool | Custom implant signature |
Trojan:MSIL/CreepyBox.A!dha | Tool | Custom implant signature |
Trojan:MSIL/CreepyBox.B!dha | Tool | Custom implant signature |
Trojan:MSIL/CreepyBox.C!dha | Tool | Custom implant signature |
Trojan:MSIL/CreepyRing.A!dha | Tool | Custom implant signature |
Trojan:MSIL/CreepyWink.B!dha | Tool | Custom implant signature |
Backdoor:PowerShell/CreepySnail.B!dha | Tool | Custom implant signature |
NOTE: These indicators should not be considered exhaustive for this observed activity.
Detections
Microsoft 365 Defender
Microsoft Defender Antivirus
It detects the malware tools and implants used by POLONIUM starting from signature build 1.365.40.0 as the following:
- Trojan:PowerShell/CreepyDrive.A!dha
- Trojan:PowerShell/CreepyDrive.B!dha
- Trojan:PowerShell/CreepyDrive.C!dha
- Trojan:PowerShell/CreepyDrive.D!dha
- Trojan:PowerShell/CreepyDrive.E!dha
- Trojan:MSIL/CreepyBox.A!dha
- Trojan:MSIL/CreepyBox.B!dha
- Trojan:MSIL/CreepyBox.B!dha
- Trojan:MSIL/CreepyRing.A!dha
- Trojan:MSIL/CreepyWink.B!dha
- Backdoor: PowerShell/CreepySnail.B!dha
Microsoft Defender for Endpoint
Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of POLONIUM compromise:
- POLONIUM Actor Activity Detected
- PowerShell made a suspicious network connection
- Suspicious behavior by powershell.exe was observed
- Hidden dual-use tool launch attempt
- Outbound connection to non-standard port
Follow us for more, Facebook, Twitter, LinkedIn and Instagram
Leave A Comment