Crambus

Threat Actor Profile Updated 3 months ago

Download STIX

Preview STIX

The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network undetected for eight months, according to reports from Broadcom’s Symantec cybersecurity unit. The group successfully implanted malware to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via emails, and forward results back to them. The intrusion led to widespread compromise of the target, with malicious software detected on at least 12 computers, and backdoors and keyloggers installed on a dozen more machines. During this prolonged intrusion, Crambus deployed three previously undiscovered pieces of malware alongside the PowerExchange backdoor, a known tool that hadn’t been attributed to Crambus until now. These new malware families were identified as the Tokel backdoor, the Dirps trojan, and the Clipog infostealer, each having unique capabilities such as PowerShell command execution, file download, enumeration, clipboard data theft, keylogging, and logging processes where keystrokes are entered. The PowerExchange backdoor was specifically used to access Microsoft Exchange Servers using hardcoded credentials, allowing the attackers to monitor for specific emails and execute PowerShell commands. Crambus has been active since its initial detection in 2015, operating under the direction of the Iranian government according to US and Israeli intelligence sources. In their latest campaign, they developed four new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — adding to their already large arsenal of custom malware. This continued evolution of their toolset, combined with their ability to remain undetected over extended periods, underscores the persistent and sophisticated nature of the threat posed by the Crambus group.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
OilRig	3	OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Helix Kitten	2	Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
APT34	2	APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
MuddyWater	1	MuddyWater is an advanced persistent threat (APT) group, also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros. This threat actor has been linked to the Iranian Ministry of Intelligence and Security (MOIS) according to a joint advisory from cybersecurity firms. The group empl
Siamesekitten	1	Siamesekitten, also known as OilRig, APT34, Lyceum, or Crambus, is a threat actor group believed to be based in Iran. This cyberespionage entity has been active since at least 2014 and has targeted various organizations across the globe with malicious intent. The group is known for its sophisticated
POWRUNER	1	Powruner is a malicious software (malware) associated with other malware such as POWBAT and BONDUPDATER, and it's utilized by the Advanced Persistent Threat group APT34. The malware is designed to exploit and damage computer systems, often infiltrating via suspicious downloads, emails, or websites.

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Symantec

Backdoor

Espionage

Eset

Microsoft

PowerShell

Israel

Infostealer

Government

Trojan

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sc5k	Unspecified	1	SC5k is a malware developed by OilRig, first discovered in November 2021 during the group's Outer Space campaign. This malicious software acts as a vehicle to deploy a downloader called SampleCheck5000 (SC5k), which utilizes the Office Exchange Web Services (EWS) API to download additional tools for

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Static Kitten	Unspecified	1	Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, and TA450, is an Iranian government-sponsored hacking group suspected to be linked to the Iranian Ministry of Intelligence and Security. The group has been active since 2017 and is notorious for its cyber-espionage activities. Static
Lyceum	Unspecified	1	Lyceum, also known as DEV-0133 and potentially linked to the OilRig group (aka APT34, Helix Kitten, Cobalt Gypsym, Crambus, or Siamesekitten), is a threat actor believed to be a Farsi-speaking entity active since 2018. It is suspected to be a subordinate element within Iran's Ministry of Intelligenc
Waterbug	Unspecified	1	Waterbug, also known as Turla, Venomous Bear, and other aliases, is a cyberespionage group closely affiliated with the FSB Russian intelligence agency. This threat actor has been active since at least 2004, targeting government entities, intelligence agencies, educational institutions, research faci

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Samplecheck5000 Sc5k	Unspecified	1	SampleCheck5000 (SC5k) is a vulnerability in software design or implementation, used by the threat group OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten. This group has been linked to potential Iranian threat actors and is notorious for its sophisticated c
Crambus Waterbug	Unspecified	1	None

Source Document References

Information about the Crambus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
DARKReading	7 months ago	Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over
CERT-EU	9 months ago	Les dernières cyberattaques (24 octobre 2023)
CERT-EU	9 months ago	Iranian State Sponsored Hackers On The Attack
CERT-EU	9 months ago	Crambus: New Campaign Targets Middle Eastern Government - Cyber Security Review
CERT-EU	9 months ago	Iranian Hackers Lurked for 8 Months in Government Network \| Antivirus and Security news
CERT-EU	9 months ago	Iranian Hackers Lurked for 8 Months in Government Network
CERT-EU	9 months ago	New cyber campaign targeted Middle Eastern government, researchers say
CERT-EU	9 months ago	Crambus: New Campaign Targets Middle Eastern Government
CERT-EU	9 months ago	Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months
MITRE	a year ago	Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments