Security researchers at Proofpoint have uncovered a sophisticated cyber espionage campaign targeting aviation and satellite communications organizations in the United Arab Emirates.
The campaign, attributed to a threat actor tracked as UNK_CraftyCamel, leveraged a compromised Indian electronics company to deliver highly customized malware to fewer than five organizations in fall 2024.
This attack represents a concerning evolution in supply chain compromise techniques, where threat actors exploit trusted business relationships to bypass traditional security measures.
The attackers sent malicious messages from a compromised entity that had established business relationships with the targets, using lures specifically customized for each victim.
These messages contained links to a domain (indicelectronics[.]net) mimicking the legitimate INDIC electronics company.
When victims clicked the link, they downloaded a ZIP archive containing what appeared to be business documents, including information about the electronics company and trade fair participation.
Investigation by ProofPoint researchers revealed an elaborate multi-stage infection chain utilizing polyglot files—a relatively uncommon technique that allows a single file to be interpreted as multiple file types.
The attack chain began with what appeared to be PDF files but actually contained hidden executable code.
One file was a PDF with an appended HTA (HTML Application) while another combined a PDF with a ZIP archive, demonstrating the threat actor’s technical sophistication and determination to evade detection.
.webp)
The malware delivery process eventually led to the installation of a custom-built Go backdoor dubbed “Sosano” by researchers. This backdoor was heavily obfuscated with unnecessary code libraries and employed various anti-analysis techniques, including randomized sleep functions to evade automated detection systems.
Analysis of the Sosano Backdoor
The infection chain revealed significant technical complexity. After initial execution, a LNK file launched cmd.exe followed by mshta.exe to process the PDF/HTA polyglot file.
.webp)
A portion of the HTA orchestrator code shows sophisticated obfuscation techniques:-
Function nexttoday(uFP)
Dim WshShell
dim oo2
oo2 ="BXhwnuy.Xmjqq"
Set WshShell = CreateObject(today(oo2, 21))
On Error Resume Next
Dim fso1
fso1 = "MPJD_HZWWJSY_ZXJWXTKYBFWJRnhwtxtkyBnsitbxHzwwjsyAjwxntsWzsRdZwqKnqj"
WshShell.RegWrite today(fso1, 21), uFP, "REG_SZ"
On Error GoTo 0
End Function%20(Source%20-%20ProofPoint).webp)
The Sosano backdoor, written in Go, connects to its command and control server (bokhoreshonline[.]com) to receive instructions.
The malware can perform various functions including directory navigation, file listing, downloading additional payloads, and removing directories.
Researchers noted the backdoor’s infrastructure resolved to commercial hosting providers, likely to blend with legitimate traffic.
The highly targeted nature of this campaign, the sophisticated technical measures employed, and the focus on critical transportation infrastructure in the UAE indicates a threat actor with significant capabilities and specific intelligence gathering objectives.
While Proofpoint has not definitively attributed this campaign to a specific nation-state, they noted some similarities with suspected Islamic Revolutionary Guard Corps aligned campaigns, though they assess UNK_CraftyCamel to be a separate entity.
Organizations should implement measures to detect the unusual behaviors associated with this attack chain, including LNK files executing from recently unzipped directories and URL files launching non-browser executables.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free
