Proofpoint warns of a highly targeted campaign targeting several United Arab Emirates organizations across multiple sectors with a new backdoor.
The attacks, attributed to an Iranian threat actor tracked as UNK_CraftyCamel, employed polyglot files to hide the malicious payload, a technique relatively uncommon in espionage attacks.
The threat actor, Proofpoint says, compromised an Indian electronics company’s email account in October 2024 and then used it to send malicious email messages to UAE organizations in the aviation and satellite communications, and critical transportation infrastructure sectors.
The messages contained a malicious URL to download a ZIP archive that appeared to contain an XLS file, which was in fact an LNK file using a double extension, and two PDF files that were polyglots: one was appended with an HTA file and the other with a ZIP archive.
Created by carefully structuring data and aligning headers and footers, polyglot files can be interpreted as different formats, depending on how they are read.
As part of the attack, the LNK file was used to launch commands needed to parse the PDF/HTA polyglot file and execute the relevant content from it. The HTA script is used to build an executable and a URL from the second PDF and writes the URL to the registry for persistence.
The process ends with the execution of a backdoor dubbed Sosano, which is written in Golang and contains limited functionality. The backdoor first sleeps for a random amount of time, then attempts to contact its command-and-control (C&C) server to receive commands.
Based on the received commands, the malware can get the current directory and change the working one, list the content of the directory, download and load additional content, delete a directory, and execute shell commands.
According to Proofpoint, the backdoor was also designed to fetch and run a secondary payload named ‘cc.exe’, but it was not available on the remote server.
UNK_CraftyCamel’s activity, the cybersecurity firm says, does not overlap with known threat actor operations, but shows that the adversary is focused on staying under the radar.
However, the adversary’s tactics, techniques, and procedures (TTP) suggest alignment with TA451 and TA455, threat actors believed to be associated with the Islamic Revolutionary Guard Corps (IRGC).
“Our analysis suggests that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC). The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape,” Proofpoint threat researcher Joshua Miller said.
Related: US Imposes Sanctions on Russian and Iranian Groups Over Disinformation Targeting American Voters
Related: Iranian Hackers Use IOCONTROL Malware to Target OT, IoT Devices in US, Israel
Related: Iranian Hackers Target Aerospace Industry in ‘Dream Job’ Campaign
Related: Iranian Hackers Use Brute Force in Critical Infrastructure Attacks
