Crambus

Threat Actor Profile Updated 13 days ago
Download STIX
Preview STIX
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network undetected for eight months, according to reports from Broadcom’s Symantec cybersecurity unit. The group successfully implanted malware to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via emails, and forward results back to them. The intrusion led to widespread compromise of the target, with malicious software detected on at least 12 computers, and backdoors and keyloggers installed on a dozen more machines. During this prolonged intrusion, Crambus deployed three previously undiscovered pieces of malware alongside the PowerExchange backdoor, a known tool that hadn’t been attributed to Crambus until now. These new malware families were identified as the Tokel backdoor, the Dirps trojan, and the Clipog infostealer, each having unique capabilities such as PowerShell command execution, file download, enumeration, clipboard data theft, keylogging, and logging processes where keystrokes are entered. The PowerExchange backdoor was specifically used to access Microsoft Exchange Servers using hardcoded credentials, allowing the attackers to monitor for specific emails and execute PowerShell commands. Crambus has been active since its initial detection in 2015, operating under the direction of the Iranian government according to US and Israeli intelligence sources. In their latest campaign, they developed four new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — adding to their already large arsenal of custom malware. This continued evolution of their toolset, combined with their ability to remain undetected over extended periods, underscores the persistent and sophisticated nature of the threat posed by the Crambus group.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig
3
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
Helix Kitten
2
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
APT34
2
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Symantec
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Crambus Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
CERT-EU
7 months ago
New cyber campaign targeted Middle Eastern government, researchers say
CERT-EU
7 months ago
Crambus: New Campaign Targets Middle Eastern Government
CERT-EU
7 months ago
Iranian Hackers Lurked for 8 Months in Government Network
CERT-EU
7 months ago
Iranian State Sponsored Hackers On The Attack
CERT-EU
7 months ago
Iran-Linked 'MuddyWater' Spies on Mideast Gov't for 8 Months
CERT-EU
7 months ago
Crambus: New Campaign Targets Middle Eastern Government - Cyber Security Review
CERT-EU
7 months ago
Iranian Hackers Lurked for 8 Months in Government Network | Antivirus and Security news
CERT-EU
7 months ago
Les dernières cyberattaques (24 octobre 2023)
DARKReading
5 months ago
Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over