Open Hunting - Threat Library

Openhunting Threat Library

CreepyDrive

(Type: Backdoor, Downloader, Exfiltration)

(ESET) CreepyDrive is a PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox. It can upload or download files from attacker-controlled accounts in these cloud services, and execute supplied PowerShell code.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

0/113

privilege escalation

0/96

defense evasion

1/184

credential access

0/63

discovery

1/44

lateral movement

1/22

collection

1/37

command and control

3/39

exfiltration

1/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.001 Command And Scripting Interpreter : Powershell			T1550.001 Use Alternate Authentication Material : Application Access Token		T1083 File And Directory Discovery	T1550.001 Use Alternate Authentication Material : Application Access Token	T1005 Data From Local System	T1071.001 Application Layer Protocol : Web Protocols T1105 Ingress Tool Transfer T1102.002 Web Service : Bidirectional Communication	T1567.002 Exfiltration Over Web Service : Exfiltration To Cloud Storage

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: CreepyDrive

Names: CreepyDrive

Description: (ESET) CreepyDrive is a PowerShell backdoor that reads and executes commands from a text file stored on OneDrive or Dropbox. It can upload or download files from attacker-controlled accounts in these cloud services, and execute supplied PowerShell code.

Category: Malware

Type: Backdoor, Downloader, Exfiltration

Information: https://www.welivesecurity.com/2022/10/11/polonium-targets-israel-creepy-malware/

Mitre-attack: https://attack.mitre.org/software/S1023/

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.001 COMMAND AND SCRIPTING INTERPRETER : POWERSHELL creepydrive can use powershell for execution, including the cmdlets invoke-webrequest and invoke-expression.			T1550.001 USE ALTERNATE AUTHENTICATION MATERIAL : APPLICATION ACCESS TOKEN creepydrive can use legitimate oauth refresh tokens to authenticate with onedrive.		T1083 FILE AND DIRECTORY DISCOVERY creepydrive can specify the local file path to upload files from.	T1550.001 USE ALTERNATE AUTHENTICATION MATERIAL : APPLICATION ACCESS TOKEN creepydrive can use legitimate oauth refresh tokens to authenticate with onedrive.	T1005 DATA FROM LOCAL SYSTEM creepydrive can upload files to c2 from victim machines.	T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS creepydrive can use https for c2 using the microsoft graph api. T1105 INGRESS TOOL TRANSFER creepydrive can download files to the compromised host. T1102.002 WEB SERVICE : BIDIRECTIONAL COMMUNICATION creepydrive can use onedrive for c2.	T1567.002 EXFILTRATION OVER WEB SERVICE : EXFILTRATION TO CLOUD STORAGE creepydrive can use cloud services including onedrive for data exfiltration.