Thursday 29 September 2022, 11:30 - 12:00
Matias Porolli (ESET)
This paper will be presented by Robert Lipovsky, ESET.
POLONIUM is a threat actor that was first publicly documented in June 2022 by Microsoft researchers, who believe the actor to be operating out of Lebanon since February 2022, deploying their custom implants CreepyDrive and CreepySnail against organizations in the IT, manufacturing and defence sectors in Israel.
While public visibility of the group's activities is very limited, our telemetry shows that the group has in fact been active since at least September 2021, continuously developing new tools and improving their existing ones up to this day. Apart from CreepyDrive and CreepySnail, we have discovered that the group uses four other previously undocumented backdoors, and several in-house-developed tools including custom keyloggers that can handle Arabic and Hebrew languages, or a tool to capture snapshots from the webcam. The group is notable for abusing cloud storage services for command and control, and we have observed them abusing Mega on top of previously used OneDrive and Dropbox services.
In this presentation we'll take a look at the various components of POLONIUM's toolset. We'll analyse not only their individual characteristics, but also the commonalities that describe POLONIUM's coding style. We'll share insights about how the group operates, their victimology, and network infrastructure. We'll analyse the tricks that they use to try to evade detection, and how they abuse cloud storage services for command and control. We'll finish by assessing possible overlaps with other APT groups.
Born and raised in Argentina, Matias is a malware researcher on the ESET Threat Intelligence team in Canada. He divides his time between tracking APT groups and reverse engineering their malware. Before moving to Canada, he worked for ESET in their Buenos Aires office. His interests include studying exploitation in the Windows environment, crackmes, CTFs and C programming.