ATT&CK v16 has been released! Check out the blog post for more information.

CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.^[1]

ID: S1024

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 08 July 2022

Last Modified: 08 August 2022

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	CreepySnail can use HTTP for C2.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	CreepySnail can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	CreepySnail can use Base64 to encode its C2 traffic.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	CreepySnail can connect to C2 for data exfiltration.^[1]
Enterprise	T1016		System Network Configuration Discovery	CreepySnail can use `getmac` and `Get-NetIPAddress` to enumerate network settings.^[1]
Enterprise	T1033		System Owner/User Discovery	CreepySnail can execute `getUsername` on compromised systems.^[1]
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	CreepySnail can use stolen credentials to authenticate on target networks.^[1]

Groups That Use This Software

ID	Name	References
G1005	POLONIUM	^[1]

References

Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.