The Iran-linked OilRig threat actor targeted an unnamed Middle East government between February and September 2023 as part of an eight-month-long campaign.
The attack led to the theft of files and passwords and, in one instance, resulted in the deployment of a PowerShell backdoor called PowerExchange, the Symantec Threat Hunter Team, part of Broadcom, said in a report shared with The Hacker News.
The cybersecurity firm is tracking the activity under the name Crambus, noting that the adversary used the implant to "monitor incoming mails sent from an Exchange Server in
order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers."
Malicious activity is said to have been detected on no less than 12 computers, with backdoors and keyloggers installed on a dozen other machines, indicating a broad compromise of the target.
The use of PowerExchange was first highlighted by Fortinet FortiGuard Labs in May 2023, documenting an attack chain targeting a government entity associated with the United Arab Emirates.
The implant, which monitors incoming emails to compromised mailboxes after logging into a Microsoft Exchange Server with hard-coded credentials, enables the threat actor to run arbitrary payloads and upload and download files from and to the infected host.
"Mails received with '@@' in the subject contain commands sent from the attackers, which allows them to execute arbitrary PowerShell commands, write files, and steal files," the company explained. The malware creates an Exchange rule (called 'defaultexchangerules') to filter these messages and move them to the Deleted Items folder automatically."
Also deployed alongside PowerExchange were three previously undiscovered pieces of malware, which are described below -
- Tokel, a backdoor to execute arbitrary PowerShell commands and download files
- Dirps, a trojan capable of enumerating files in a directory and executing PowerShell commands, and
- Clipog, an information stealer designed to harvest clipboard data and keystrokes
While the exact mode of initial access was not disclosed, it's suspected to have involved email phishing. Malicious activity on the government network continued until September 9, 2023.
"Crambus is a long-running and experienced espionage group that has extensive expertise in carrying out long campaigns aimed at targets of interest to Iran," Symantec said. "Its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield."
