Microsoft Security: Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Home/Internet Security, Microsoft, POLONIUM activity, Security Advisory, Security Update, Targeted Attacks/Microsoft Security: Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Microsoft Security: Exposing POLONIUM activity and infrastructure targeting Israeli organizations

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM .

The associated indicators and tactics were used by the OneDrive team to improve detection of attack activity and disable offending actor accounts. 

POLONIUM activity has targeted or compromised more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon over the past three months.

Observed Activity C2 POLONIUM

POLONIUM has also been observed deploying a custom PowerShell implant detected as Backdoor:PowerShell/CreepySnail.B!dha.

The CreepySnail PowerShell implant, once deployed on a target network, attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration.

This has also been observed dropping a secondary payload via their OneDrive implant. It used a common SSH tool for automating interactive sign-ins called plink to set up a redundant tunnel from the victim environment to the attacker-controlled infrastructure.

Recommended customer actions by microsoft for POLONIUM activity

  • Use the included indicators of compromise to investigate whether they exist in your environment and assess for potential intrusion. 
  • Confirm that Microsoft Defender Antivirus is updated to security intelligence update 1.365.40.0 or later, or ensure that cloud protection is turned on, to detect the related indicators.
  • Block in-bound traffic from IPs specified in the “Indicators of compromise” table.
  • Review all authentication activity for remote access infrastructure (VPNs), with a particular focus on accounts configured with single factor authentication, to confirm authenticity and investigate any anomalous activity.
  • Enable multifactor authentication (MFA) to mitigate potentially compromised credentials and ensure that MFA is enforced for all remote connectivity.  
  • For customers that have relationships with service providers, review and audit partner relationships to minimize any unnecessary permissions between your organization and upstream providers.
  • Microsoft recommends immediately removing access for any partner relationships that look unfamiliar or have not yet been audited.

Indicators of compromise (IOCs)

135[.]125[.]147[.]170:80IPv4 addressC2  for POLONIUM CreepySnail implant
185[.]244[.]129[.]79:63047IPv4 addressC2  for POLONIUM CreepySnail implant
185[.]244[.]129[.]79:80IPv4 addressC2  for POLONIUM CreepySnail implant
45[.]80[.]149[.]108:63047IPv4 addressC2  for POLONIUM CreepySnail implant
45[.]80[.]149[.]108:80IPv4 addressC2  for POLONIUM CreepySnail implant
45[.]80[.]149[.]57:63047IPv4 addressC2  for POLONIUM CreepySnail implant
45[.]80[.]149[.]68:63047IPv4 addressC2  for POLONIUM CreepySnail implant
45[.]80[.]149[.]71:80IPv4 addressC2 for POLONIUM CreepySnail implant
185[.]244[.]129[.]109IPv4 addressC2 for POLONIUM plink tunnels
172[.]96[.]188[.]51IPv4 addressC2 for POLONIUM plink tunnels
51[.]83[.]246[.]73IPv4 addressC2 for POLONIUM plink tunnels
Trojan:PowerShell/CreepyDrive.A!dhaToolCustom implant signature
Trojan:PowerShell/CreepyDrive.B!dhaToolCustom implant signature
Trojan:PowerShell/CreepyDrive.C!dhaToolCustom implant signature
Trojan:PowerShell/CreepyDrive.D!dhaToolCustom implant signature
Trojan:PowerShell/CreepyDrive.E!dhaToolCustom implant signature
Trojan:MSIL/CreepyBox.A!dhaToolCustom implant signature
Trojan:MSIL/CreepyBox.B!dhaToolCustom implant signature
Trojan:MSIL/CreepyBox.C!dhaToolCustom implant signature
Trojan:MSIL/CreepyRing.A!dhaToolCustom implant signature
Trojan:MSIL/CreepyWink.B!dhaToolCustom implant signature
Backdoor:PowerShell/CreepySnail.B!dhaToolCustom implant signature

NOTE: These indicators should not be considered exhaustive for this observed activity.


Microsoft 365 Defender

Microsoft Defender Antivirus

It detects the malware tools and implants used by POLONIUM starting from signature build 1.365.40.0 as the following:

  • Trojan:PowerShell/CreepyDrive.A!dha
  • Trojan:PowerShell/CreepyDrive.B!dha
  • Trojan:PowerShell/CreepyDrive.C!dha
  • Trojan:PowerShell/CreepyDrive.D!dha
  • Trojan:PowerShell/CreepyDrive.E!dha
  • Trojan:MSIL/CreepyBox.A!dha
  • Trojan:MSIL/CreepyBox.B!dha
  • Trojan:MSIL/CreepyBox.B!dha
  • Trojan:MSIL/CreepyRing.A!dha
  • Trojan:MSIL/CreepyWink.B!dha
  • Backdoor: PowerShell/CreepySnail.B!dha

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint customers may see any or a combination of the following alerts as an indication of possible attack. These alerts are not necessarily an indication of POLONIUM compromise:

  • POLONIUM Actor Activity Detected
  • PowerShell made a suspicious network connection
  • Suspicious behavior by powershell.exe was observed
  • Hidden dual-use tool launch attempt
  • Outbound connection to non-standard port

Follow us for more, Facebook, Twitter, LinkedIn and Instagram

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!