CyberSecurity news
FlagThis
Ridhika Singh@cysecurity.news
//
A sophisticated cyber espionage campaign, dubbed UNK_CraftyCamel, is actively targeting aviation and satellite organizations in the United Arab Emirates (UAE). Cybersecurity researchers at Proofpoint discovered this attack in October 2024. The attackers are employing advanced techniques, including the use of polyglot files, a custom Go-based backdoor known as Sosano, and compromised business accounts, to evade detection. This highly targeted campaign leverages compromised business relationships and tailored lures to deliver a multi-stage infection chain.
The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.
Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.
ImgSrc: blogger.googleu
References :
The attack begins with phishing emails sent from the compromised account of an Indian electronics company, INDIC Electronics. These emails contain links to malicious ZIP files hosted on domains designed to mimic legitimate companies. The ZIP archives contain cleverly disguised malware components using polyglot files, a relatively rare technique in espionage operations. These files are structured so they can be interpreted as multiple file formats, allowing attackers to hide malicious content within seemingly legitimate files, making detection more difficult. The use of polyglot files demonstrates an advanced adversary with a focus on stealth and obfuscation.
Once executed, the polyglot malware installs Sosano, a custom Go-based backdoor designed for stealth and resilience. Sosano establishes a connection with a command-and-control server and waits for commands, which include listing directories, executing shell commands, and downloading additional payloads. While some tactics overlap with known Iranian-aligned threat actors, researchers have not definitively linked this activity to any previously identified group. The attackers’ focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive.
ImgSrc: blogger.googleu
Share:
References :
- Cyber Security News: Hackers Exploit Business Relationships to Attack Arab Emirates Aviation Sector
- gbhackers.com: Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector
- The Record: Proofpoint researchers say they spotted new backdoor malware that suspected Iranian regime-backed hackers have aimed at sectors such as aviation, satellite communications and critical transportation infrastructure in the United Arab Emirates.
- Information Security Buzz: Highly Targeted Cyber Espionage Campaign Targeting UAE Aviation Sector
- thehackernews.com: Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector
- Virus Bulletin: Proofpoint researchers identified a highly targeted email-based campaign targeting UAE organizations. The malicious messages were sent from a compromised entity in a trusted business relationship with the targets, and used lures customized to every target.
- www.cysecurity.news: A highly targeted cyber espionage campaign, dubbed UNK_CraftyCamel, is targeting aviation and satellite organizations in the UAE. Attackers use polyglot files, a custom Go-based backdoor (Sosano), and compromised business accounts to evade detection.
- Vulnerable U: Highly Targeted Polyglot Malware Campaign Hits UAE Aviation and Satellite Firms
- Industrial Cyber: Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors
- : New Cyber-Espionage Campaign Targets UAE Aviation and Transport
- www.scworld.com: New Sosano malware attacks target UAE
- securityonline.info: UNK_CraftyCamel: New Threat Group Using Polyglot Malware in UAE
- securityaffairs.com: A new cyber espionage campaign is targeting UAE aviation and satellite companies. Researchers have identified a custom Go-based backdoor, Sosano, being used in this operation.
- www.redpacketsecurity.com: Researchers have identified a new cyber-espionage campaign targeting aviation and satellite organizations in the UAE.
Classification:
- HashTags: #CyberEspionage #UAE #Sosano
- Company: INDIC Electronics
- Target: UAE Firms
- Attacker: UNK_CraftyCamel
- Product: Software
- Feature: Polyglot Malware
- Malware: Sosano
- Type: Hack
- Severity: Major