Crambus

The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network undetected for eight months, according to reports from Broadcom’s Symantec cybersecurity unit. The group successfully implanted malware to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via emails, and forward results back to them. The intrusion led to widespread compromise of the target, with malicious software detected on at least 12 computers, and backdoors and keyloggers installed on a dozen more machines. During this prolonged intrusion, Crambus deployed three previously undiscovered pieces of malware alongside the PowerExchange backdoor, a known tool that hadn’t been attributed to Crambus until now. These new malware families were identified as the Tokel backdoor, the Dirps trojan, and the Clipog infostealer, each having unique capabilities such as PowerShell command execution, file download, enumeration, clipboard data theft, keylogging, and logging processes where keystrokes are entered. The PowerExchange backdoor was specifically used to access Microsoft Exchange Servers using hardcoded credentials, allowing the attackers to monitor for specific emails and execute PowerShell commands. Crambus has been active since its initial detection in 2015, operating under the direction of the Iranian government according to US and Israeli intelligence sources. In their latest campaign, they developed four new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — adding to their already large arsenal of custom malware. This continued evolution of their toolset, combined with their ability to remain undetected over extended periods, underscores the persistent and sophisticated nature of the threat posed by the Crambus group.