Crambus

Threat Actor updated 23 days ago (2024-11-29T14:05:22.889Z)
Download STIX
Preview STIX
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network undetected for eight months, according to reports from Broadcom’s Symantec cybersecurity unit. The group successfully implanted malware to monitor incoming emails from an Exchange Server, execute commands sent by the attackers via emails, and forward results back to them. The intrusion led to widespread compromise of the target, with malicious software detected on at least 12 computers, and backdoors and keyloggers installed on a dozen more machines. During this prolonged intrusion, Crambus deployed three previously undiscovered pieces of malware alongside the PowerExchange backdoor, a known tool that hadn’t been attributed to Crambus until now. These new malware families were identified as the Tokel backdoor, the Dirps trojan, and the Clipog infostealer, each having unique capabilities such as PowerShell command execution, file download, enumeration, clipboard data theft, keylogging, and logging processes where keystrokes are entered. The PowerExchange backdoor was specifically used to access Microsoft Exchange Servers using hardcoded credentials, allowing the attackers to monitor for specific emails and execute PowerShell commands. Crambus has been active since its initial detection in 2015, operating under the direction of the Iranian government according to US and Israeli intelligence sources. In their latest campaign, they developed four new downloaders — SampleCheck5000 (SC5k v1-v3), ODAgent, OilCheck, and OilBooster — adding to their already large arsenal of custom malware. This continued evolution of their toolset, combined with their ability to remain undetected over extended periods, underscores the persistent and sophisticated nature of the threat posed by the Crambus group.
Description last updated: 2024-05-04T21:13:58.664Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
OilRig is a possible alias for Crambus. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
3
Helix Kitten is a possible alias for Crambus. Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
2
APT34 is a possible alias for Crambus. APT34, a threat actor suspected to be linked to Iran, has been operational since at least 2014 and is involved in long-term cyber espionage operations largely focused on reconnaissance efforts. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunic
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Symantec
Espionage
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.