A new highly-targeted phishing campaign was recently discovered by experts at Proofpoint, aimed at less than 5 organizations in the UAE. The attack specifically targeted companies operating in the aviation and satellite communications sectors, with the goal of delivering a previously unknown Sosano backdoor, written in GO.
Referred to as UNK_CRAFTYCAMEL by Proofpoint, the attack was identified at the end of October 2024. A key aspect of the campaign was the utilization of a compromised account belonging to the Indian company Indic Electronics, which had confidential business relationships with the victims. Phishing emails sent out contained links to a fake domain resembling the company’s legitimate website (“IndicElectronics [.] NET”), where a ZIP archive containing malicious files was hosted.
Within the archive were three files: an XLS file disguised as Excel, along with two PDF files that were found to be polyglot. One of the PDF files contained an HTA script, while the other held a nested ZIP archive. The attackers leveraged these files to evade threat detection systems and deploy malicious code.
The attack unfolded as follows: the LNK file in the archive triggered CMD.exe command line, followed by Mshta.exe executing the PDF file’s scripts. This led to the unpacking of the ZIP archive in the second PDF, ultimately launching an Internet Yarlyk containing a binary file. This process culminated in the decryption of an encrypted payload and the deployment of the Sosano backdoor.
The Sosano backdoor was designed to communicate with a C2 server and carry out various commands, such as obtaining the current directory, browsing directory contents, loading the next stage of the attack, deleting directories, and executing commands in the shell.
While the tactics used in this campaign diverge from those of established threat groups, researchers have identified a potential link to Iran, specifically the Islamic Revolutionary Guard Corps (IRGC). The selection of targets – aviation, satellite communications, and vital transport infrastructure in the UAE – underscores the attackers’ interest in gathering intelligence from critical sectors.
Experts from Proofpoint emphasized the campaign’s limited scope and high specificity, highlighting the sophisticated techniques and the compromise of a trusted third party that underscore the complexity and planning behind the attack.