Rewterz Threat Alert – Middle East Government Network Targeted by Iranian APT OilRig in 8-Month Campaign – Active IOCs

Severity

High

Analysis Summary

OilRig (APT34), the Iranian hacking group, successfully infiltrated a Middle Eastern government network, compromising a minimum of twelve computers and maintaining undetected access for a period spanning eight months from February to September 2023. The threat actors were able to steal a large number of files and passwords, as well as deployed a PowerShell backdoor called PowerExchange.

Cybersecurity researchers are tracking the campaign by the name Crambus. The actors used the implant to observe incoming mails sent from an exchange server so they could execute commands in the form of emails. The malicious activity has been detected in about twelve computers, also with backdoors and keyloggers installed on a dozen other machines.

Researchers first discovered the use of PowerExchange in May 2023 when an attack chain targeting a government entity in the United Arab Emirates was documented. The implant that is used to watch over incoming emails to the infected inboxes helps the attacker in running arbitrary payloads and download/upload files to and from the compromised device.

The cybersecurity experts explained, “Mails received with ‘@@’ in the subject contain commands sent from the attackers, which allows them to execute arbitrary PowerShell commands, write files, and steal files. The malware creates an Exchange rule (called ‘defaultexchangerules’) to filter these messages and move them to the Deleted Items folder automatically.”

Three previously unknown malware were also deployed alongside PowerExchange:

• Tokel: A backdoor that can execute arbitrary PowerShell commands and also download files
• Clipog: An information stealer capable of stealing clipboard data and can also record keystrokes
• Drips: A trojan that is able to enumerate files in a directory as well as PowerShell commands

The method of initial access isn’t known currently, but it is suspected to be via email phishing. The malicious activity on the government network came to an end after 9^th September, 2023. Crambus is an experienced espionage group with a lot of expertise in executing persistent campaigns. It continues being a threat for Middle Eastern organizations.

In essence, this threat actor group employs a diverse arsenal of tools, scripts, and methods to extend their access and ensure their presence on numerous compromised network systems. Their actions encompass reconnaissance, lateral movement, and data exfiltration, showcasing their extensive capabilities as a threat group.”

Impact

• Cyber Espionage
• Sensitive Data Theft

Indicators of Compromise

MD5

• 576a1d9e79bf32120d74eabae45f17ab

SHA-256

• 75878356f2e131cefb8aeb07e777fcc110475f8c92417fcade97e207a94ac372

SHA-1

• 56df507f945d6149a1f0090a19c71254cc08c84e

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Do not download documents attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using multi-layered protection is necessary to secure vulnerable assets
• Change all passwords on compromised accounts and systems. Implement strong, unique passwords and consider implementing multi-factor authentication (MFA) to enhance security.
• Continuously monitor network traffic and system logs for suspicious activity, using intrusion detection and prevention systems.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Maintain daily backups of all computer networks and servers.
• Keep all software, operating systems, and applications up to date with the latest security patches.
• Continuously monitor network and system logs for unusual or suspicious activities.
• Deploy security information and event management (SIEM) solutions to centralize log analysis