Crambus

Threat Actor updated 4 months ago (2024-05-04T21:17:57.902Z)
Download STIX
Preview STIX
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network undetected for eight months, according to reports from Broadcom’s Symantec cybersecurity unit. The group successfully implanted malware to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via emails, and forward results back to them. The intrusion led to widespread compromise of the target, with malicious software detected on at least 12 computers, and backdoors and keyloggers installed on a dozen more machines. During this prolonged intrusion, Crambus deployed three previously undiscovered pieces of malware alongside the PowerExchange backdoor, a known tool that hadn’t been attributed to Crambus until now. These new malware families were identified as the Tokel backdoor, the Dirps trojan, and the Clipog infostealer, each having unique capabilities such as PowerShell command execution, file download, enumeration, clipboard data theft, keylogging, and logging processes where keystrokes are entered. The PowerExchange backdoor was specifically used to access Microsoft Exchange Servers using hardcoded credentials, allowing the attackers to monitor for specific emails and execute PowerShell commands. Crambus has been active since its initial detection in 2015, operating under the direction of the Iranian government according to US and Israeli intelligence sources. In their latest campaign, they developed four new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — adding to their already large arsenal of custom malware. This continued evolution of their toolset, combined with their ability to remain undetected over extended periods, underscores the persistent and sophisticated nature of the threat posed by the Crambus group.
Description last updated: 2024-05-04T21:13:58.664Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig
3
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Helix Kitten
2
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
APT34
2
APT34, also known as OilRig, EUROPIUM, and Hazel Sandstorm, is a threat actor suspected to be affiliated with the Iranian government. Operational since at least 2014, it has conducted broad cyber espionage operations, primarily focusing on reconnaissance efforts to benefit Iranian national interests
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Symantec
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the Crambus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
9 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU
a year ago
Les dernières cyberattaques (24 octobre 2023)
CERT-EU
a year ago
Iranian State Sponsored Hackers On The Attack
CERT-EU
a year ago
Crambus: New Campaign Targets Middle Eastern Government - Cyber Security Review
CERT-EU
a year ago
Iranian Hackers Lurked for 8 Months in Government Network | Antivirus and Security news
CERT-EU
a year ago
Iranian Hackers Lurked for 8 Months in Government Network
CERT-EU
a year ago
New cyber campaign targeted Middle Eastern government, researchers say
CERT-EU
a year ago
Crambus: New Campaign Targets Middle Eastern Government
CERT-EU
a year ago
Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months
MITRE
2 years ago
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments