Iranian Crambus Actors Modify Windows Firewall Rules To Enable Remote Access

The Crambus espionage group, formally known as OilRig or APT34, has a lengthy history and a great deal of experience conducting prolonged attacks against Iranian targets.

The Iranian-linked attackers targeted a Middle Eastern government between February and September 2023, compromising several computers and servers.

According to Symantec, there is evidence that the attackers modified the Windows firewall rules to allow remote access.

Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S., and Turkey were just a few of the nations against which Crambus conducted operations.

The gang is notorious for staging ongoing attacks for espionage and information gathering. In recent years, social engineering techniques have heavily supplemented the early phases of its attacks.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Specifics of the New Campaign Targets Middle Eastern Government

The attackers compromised the system, stole data and credentials, and installed a PowerShell backdoor dubbed PowerExchange in one case.

This was used to secretly transfer the findings to the attackers while secretly monitoring incoming emails received from an Exchange Server to carry out commands given by the attackers via emails.

Reports say at least 12 machines showed malicious activity, and there is evidence that the attackers installed backdoors and keyloggers on many more.

The attackers frequently used Plink’s publicly available network administration application tool to set up port-forwarding rules on infected computers to enable remote access via the Remote Desktop Protocol (RDP). 

In addition to distributing malware. To facilitate remote access, the attackers changed the Windows firewall rules.

In addition to malware, the attackers used a variety of living-off-the-land and legitimate tools, namely, Backdoor.Tokel is capable of running arbitrary PowerShell operations and downloading files. The command and control (C&C) address is retained in the working directory in a separate RC4 encrypted file named token.bin.

Trojan.Dirps is a tool for running PowerShell commands and enumerates all the files in a directory.

Infostealer.Clipog is an information malware that can copy information from the clipboard, record keystrokes, and record keystroke processes.

Mimikatz is a credential dumping tool that is freely available to the public, and Plink is a command-line connection tool for the PuTTY SSH client.

It was brought to light last year when Microsoft linked the group to a destructive attack on the Albanian government. Crambus was suspected of obtaining initial access and exfiltrating data from affected networks. Other Iran-linked actors most likely used wipers.

“After a 2019 leak of its toolset, there was some speculation that Crambus may disappear. However, its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield”, researchers said.

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.