CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.[1]
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
CreepyDrive can upload files to C2 from victim machines.[1] |
|
| Enterprise | T1550 | .001 | 使用备用认证材料: Application Access Token |
CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
CreepyDrive can use Powershell for execution, including the cmdlets |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.[1] |
| Enterprise | T1083 | 文件和目录发现 |
CreepyDrive can specify the local file path to upload files from.[1] |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
CreepyDrive can use OneDrive for C2.[1] |
| Enterprise | T1105 | 输入工具传输 |
CreepyDrive can download files to the compromised host.[1] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
CreepyDrive can use cloud services including OneDrive for data exfiltration.[1] |