Between February and September 2023, an undisclosed Middle Eastern country was the focus of an eight-month campaign by the Iran-linked threat actor OilRig.
The Symantec Threat Hunter Team, a division of Broadcom, claimed in a report published with The Hacker News that the attack resulted in the loss of information and passwords and, in one instance, the implementation of a PowerShell backdoor dubbed PowerExchange.
The activity is being monitored by a cybersecurity company going by the name Crambus, and they note that the adversary used the implant to “monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and covertly forwarded results to the attackers.”
According to reports, malicious activity was found on at least 12 computers, and a further 12 systems had backdoors and keyloggers installed, indicating a thorough breach of the target.
When recording an attack chain aimed at a government organisation connected to the United Arab Emirates in May 2023, Fortinet FortiGuard Labs first brought attention to the use of PowerExchange.
The implant gives the threat actor the ability to run arbitrary payloads and upload and download files from and to the infected server while monitoring incoming emails to compromised mailboxes after authenticating into a Microsoft Exchange Server with hard-coded credentials.
“Mails received with ‘@@’ in the subject contain commands sent from the attackers, which allows them to execute arbitrary PowerShell commands, write files, and steal files,” the business stated. In order to filter these messages and automatically move them to the Deleted Items folder, the virus writes an Exchange rule called “defaultexchangerules.”
Three previously unknown malware variants were also used in conjunction with PowerExchange, and they are described below:
- Tokel, a backdoor for arbitrary PowerShell command execution and file download
- Dirps, a trojan that can list files in a directory and run PowerShell commands, and
- Clipog, a data thief that can capture keystrokes and clipboard data.
Although the precise method of the first access was not made known, email phishing is widely believed to have been involved. Up to September 9, 2023, malicious activity on the government network persisted.
“Crambus is a long-running and experienced espionage group that has extensive expertise in carrying out long campaigns aimed at targets of interest to Iran,” Symantec stated. “Its activities over the past two years demonstrate that it represents a continuing threat for organisations in the Middle East and further afield.”