CreepySnail

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
CreepySnail is a malware that can infect a computer or device through suspicious downloads, emails or websites, and steal personal information or disrupt operations. CreepySnail utilizes Base64-encoded parameters to transmit information from the victim to the threat actor. It also uses static URI parameters that can be detected using specific queries. Once deployed on a target network, it attempts to authenticate using stolen credentials and connect to POLONIUM C2 for further actions on objectives, such as data exfiltration or further abuse as C2. In Israel, OilRig deployed a new custom backdoor called Mango and the SC5k downloader, while POLONIUM used a modified CreepySnail. The C2 addresses for POLONIUM's CreepySnail implant include: 135[.]125[.]147[.]170:80, 185[.]244[.]129[.]79:63047, 185[.]244[.]129[.]79:80, 45[.]80[.]149[.]108:63047, 45[.]80[.]149[.]108:80, 45[.]80[.]149[.]57:63047, 45[.]80[.]149[.]68:63047, 45[.]80[.]149[.]71:80, along with several other indicators. It is essential to keep devices and software up-to-date and practice safe browsing habits to avoid falling victim to malware like CreepySnail. Additionally, implementing security measures like firewalls and antivirus software can also prevent malware infections. If infected, it is recommended to seek professional help to remove the malware and secure the system.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Backdoor
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
POLONIUMUnspecified
2
Polonium is a threat actor group, believed to be based in Lebanon, that has been responsible for significant cyberattacks on Israel's operational technology (OT) and critical infrastructure. In December, Israel's National Cyber Directorate issued warnings that Polonium had targeted critical sectors
OilRigUnspecified
1
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the CreepySnail Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Exposing POLONIUM activity and infrastructure targeting Israeli organizations - Microsoft Security Blog
ESET
a year ago
ESET APT Activity Report Q4 2022­–Q1 2023 | WeLiveSecurity