CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.[1] |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CreepyDrive can use Powershell for execution, including the cmdlets |
| Enterprise | T1005 | Data from Local System |
CreepyDrive can upload files to C2 from victim machines.[1] |
|
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
CreepyDrive can use cloud services including OneDrive for data exfiltration.[1] |
| Enterprise | T1083 | File and Directory Discovery |
CreepyDrive can specify the local file path to upload files from.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
CreepyDrive can download files to the compromised host.[1] |
|
| Enterprise | T1550 | .001 | Use Alternate Authentication Material: Application Access Token |
CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.[1] |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
CreepyDrive can use OneDrive for C2.[1] |