A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates.
The malware delivers a backdoor called Sosano, which establishes persistence on the infected devices and allows the attackers to execute commands remotely.
The activity was discovered by Proofpoint in October 2024, which states that the attacks are linked to a threat actor named ‘UNK_CraftyCamel.’ While the campaign is still small, the researchers report that it is still advanced and dangerous to targeted companies.
Proofpoint’s researchers noted that the attacks bear similarities with operations from Iranian-aligned groups TA451 and TA455. However, the latest campaign is distinct, having a strong cyber-espionage focus.
Polyglot threat
Polyglot malware consists of specially crafted files that contain multiple file formats, allowing them to be interpreted differently by various applications.
For example, a single file could be structured as both a valid MSI (Windows installer) and a JAR (Java archive), causing Windows to recognize it as an MSI while the Java runtime interprets it as a JAR.
This technique enables attackers to stealthily deliver malicious payloads by evading security software, which typically analyzes files based on a single format.
In the new campaign observed by Proofpoint, the attack begins with a highly targeted spear-phishing email sent from a compromised Indian electronics company (INDIC Electronics).
These emails contain malicious URLs that direct victims to a spoofed domain (indicelectronics[.]net), where they are prompted to download a ZIP archive (“OrderList.zip”).
The archive contains an LNK (Windows shortcut) file disguised as an XLS, as well as two PDF files (“about-indic.pdf” and “electronica-2024.pdf”). Both PDFs are polyglot files containing a legitimate PDF file structure but an additional malicious file structure.
The first PDF contains HTA (HTML Application) code, while the other includes a hidden ZIP archive.
Source: Proofpoint
The main benefit of using polyglots is evasion, as most security tools will inspect the first file format (PDF), which is a benign document, and completely ignore the malicious hidden portion (HTA/ZIP payloads).
Source: Proofpoint
When executing the LNK file, cmd.exe launches mshta.exe, which executes the HTA script hidden inside the first PDF, triggering the launch of the second PDF file.
The hidden archive inside the second PDF writes a URL file to the Windows Registry for persistence and then executes an XOR-encoded JPEG file that decodes a DLL payload (“yourdllfinal.dll”), which is the Sosano backdoor.
Source: Proofpoint
Proofpoint says Sosano is a relatively simple Go-based payload with limited functionality that was likely bloated to 12MB in size to obfuscate what small amounts of malicious code it uses.
Once it’s activated, Sonaso establishes a connection with its command-and-control (C2) server at “bokhoreshonline[.]com” and awaits commands, including file operations, shell command execution, and fetching and launching additional payloads.
Defending against polyglot threats requires a multifaceted approach combining email scanning, user education, and security software that can detect multiple file formats in a single file.
If not needed in daily operations, blocking dangerous file types such as LNKs, HTAs, and ZIPs at the email gateway is prudent.