Iran-linked hacking group Crambus spent eight months inside a compromised network of a Middle Eastern government, Broadcom’s Symantec cybersecurity unit reports.
Symantec uses the Crambus name for clusters of activity that other cybersecurity firms are tracking as APT34 (also known as Cobalt Gypsy, OilRig, and Helix Kitten), and MuddyWater (aka Mango Sandstorm, Mercury, Seedworm, and Static Kitten).
Both APT34 and MuddyWater engage in espionage operations to support the objectives of the Iranian government, and MuddyWater was previously linked by US Cyber Command to Iranian intelligence.
As part of a recently identified attack, Crambus lurked between February and September 2023 in the compromised network of the government of a Middle Eastern country, stealing data and credentials, and deploying malware on multiple systems.
The attack started on February 1 with the execution of a PowerShell script on a single system. Malicious activity started on a second compromised system a few days later, and on a web server towards the end of February. In April, the attackers started executing commands on a domain controller.
While malicious activity was seen only on these systems until August, a second web server and additional systems were compromised toward the end of August and into September.
“Malicious activity occurred on at least 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more,” Symantec says.
As part of the attack, Crambus installed a PowerShell backdoor dubbed PowerExchange, which can access Microsoft Exchange Servers using hardcoded credentials to monitor for emails sent by the attackers and execute PowerShell commands, write files, and steal files.
Additionally, the attackers used the network administration tool Plink to set port-forwarding rules and enable access via the Remote Desktop Protocol (RDP), and modified firewall rules to ensure remote access.
In addition to the PowerExchange backdoor, Crambus was seen deploying three new malware families, namely the Tokel backdoor (for PowerShell command execution and file download), the Dirps trojan (PowerShell command execution and file enumeration), and the Clipog infostealer (clipboard data theft, keylogging, and logging of processes where keystrokes are entered).