oil platform linked to Iran targets Middle Eastern governments in a cyber campaign lasting more than 8 months

The OilRig threat actor, believed to be linked to Iran, conducted an extensive eight-month campaign targeting an unspecified Middle East government between February and September 2023. According to a report by the Symantec Threat Hunter Team, a part of Broadcom, this attack resulted in the theft of files and passwords, with one instance involving the deployment of a PowerShell backdoor known as PowerExchange.

This operation is being tracked by the cybersecurity firm under the codename "Crambus." The attackers utilized the PowerExchange implant to monitor incoming emails from an Exchange Server. They used this access to execute commands sent via email and discreetly relayed the results to their command center.

The security team detected malicious activity on at least 12 computers, where backdoors and keyloggers had been installed. This suggests a broad compromise of the target.

The deployment of PowerExchange was initially identified by Fortinet FortiGuard Labs in May 2023 when they documented an attack on a government entity associated with the United Arab Emirates. The PowerExchange implant allows threat actors to run arbitrary payloads and upload/download files on the compromised host by monitoring incoming emails. Specifically, emails containing '@@' in the subject line carried commands from the attackers, enabling them to execute PowerShell commands, write files, and steal files. The malware also created an Exchange rule named 'defaultexchangerules' to automatically filter these messages into the Deleted Items folder.

In addition to PowerExchange, three previously undiscovered pieces of malware were deployed in this campaign:

• Tokel: A backdoor that executes arbitrary PowerShell commands and downloads files.
• Dirps: A trojan capable of enumerating files in a directory and executing PowerShell commands.
• Clipog: An information stealer designed to harvest clipboard data and keystrokes.

Although the initial access method was not disclosed, email phishing is suspected to have played a role. The malicious activity continued on the government network until September 9, 2023.

Symantec characterizes Crambus as a highly experienced and persistent espionage group with a significant focus on targets of interest to Iran. Their activities over the past two years underscore the ongoing threat they pose to organizations in the Middle East and beyond.