1. Home
  2. Software
  3. CreepySnail

CreepySnail

CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]

ID: S1024
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 08 July 2022
Last Modified: 08 August 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

CreepySnail can use HTTP for C2.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

CreepySnail can use PowerShell for execution, including the cmdlets Invoke-WebRequst and Invoke-Expression.[1]
Enterprise T1132 .001 Data Encoding: Standard Encoding

CreepySnail can use Base64 to encode its C2 traffic.[1]
Enterprise T1041 Exfiltration Over C2 Channel

CreepySnail can connect to C2 for data exfiltration.[1]
Enterprise T1016 System Network Configuration Discovery

CreepySnail can use getmac and Get-NetIPAddress to enumerate network settings.[1]
Enterprise T1033 System Owner/User Discovery

CreepySnail can execute getUsername on compromised systems.[1]
Enterprise T1078 .002 Valid Accounts: Domain Accounts

CreepySnail can use stolen credentials to authenticate on target networks.[1]

Groups That Use This Software

ID Name References
G1005 POLONIUM

[1]

References

  1. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.