October 19, 2023 at 06:39AM
Between February and September 2023, the Iran-linked threat actor, OilRig, conducted an eight-month cyber espionage campaign against an unnamed Middle East government. The attack involved the theft of files and passwords, as well as the deployment of a PowerShell backdoor called PowerExchange. Additional malware used included Tokel, Dirps, and Clipog. The campaign highlights the persistent threat posed by Crambus, an experienced espionage group with expertise in long-running operations.
Meeting Notes – October 19, 2023 – Newsroom Cyber Attack / Cyber Espionage
– A Middle East government was targeted by the Iran-linked threat actor OilRig between February and September 2023.
– The attack lasted for eight months and resulted in the theft of files and passwords.
– The Symantec Threat Hunter Team, part of Broadcom, reported on the attack and identified a PowerShell backdoor called PowerExchange as one of the tools used.
– The PowerExchange implant was used to monitor and execute commands sent by the attackers through emails.
– Malicious activity was detected on 12 computers, with backdoors and keyloggers installed on 12 other machines.
– Fortinet FortiGuard Labs previously highlighted the use of PowerExchange in an attack targeting a government entity associated with the United Arab Emirates.
– Alongside PowerExchange, three other malware were deployed:
– Tokel: a backdoor for executing PowerShell commands and downloading files.
– Dirps: a trojan capable of enumerating files and executing PowerShell commands.
– Clipog: an information stealer designed to harvest clipboard data and keystrokes.
– Initial access to the government network is suspected to have involved email phishing.
– Malicious activity continued until September 9, 2023.
– Symantec described the threat actor Crambus as a long-running and experienced espionage group with expertise in carrying out long campaigns targeting organizations in the Middle East and beyond.