Threat hunters are highlighting a brand-new, highly targeted phishing campaign that targeted “less than five” entities in the United Arab Emirates ( UAE ). A. E. ) to deliver a previously unidentified Golang backdoor dubbed Sosano.
According to Proofpoint, which discovered it in late October 2024, the malignant activity was particularly directed at organizations involved in aviation and dish communications. The emerging grouping is being followed by the business security firm UNK_CraftyCamel.
The attack benefited from the adversary’s exposure to a damaged INDIC Electronics email account to send phishing messages, which is a notable feature of the attack chain. The organization relationship between the two parties is said to have been trustworthy, with the bait being specifically targeted at each of them.
In a shared with The Hacker News, Proofpoint claimed that “UNK_CraftyCamel utilized a damaged American electronics company to target fewer than five organizations in the United Arab Emirates” by using a destructive ZIP file from a damaged American electronics company to install a custom Go secret dubbed Sosano.
The messages contained URLs that pointed to a fake Indian firm that posed as Indice Electrolectronics. .net” ), which housed a ZIP library that contained two PDF files and an XLS report.
The XLS file, however, was actually a Windows shortcut ( LNK), disguised as a Microsoft Excel document using a double extension. On the other hand, the two PDF files, one with an HTML Application ( HTA ) file attached, and the other with a ZIP archive attached, turned out to be polyglots.
Additionally, this allowed for both PDF files to be interpreted by programs like file explorers, command-line tools, and browsers, as two distinct appropriate formats, depending on how they were parsed.
The LNK file being used to build cmd is the attack sequence that Proofpoint has examined. using mshta first, next execute. files to execute the PDF/HTA polyglot file, which results in the execution of the HTA script, which also contains instructions on how to analyze the ZIP archive contained in the following PDF.
A binary is loaded into one of the files in the second PDF, which then decodes and runs the DLL backdoor called Sosano using an internet shortcut ( URL ) file that is responsible for this process.
The implant has a limited ability to communicate with a command-and-control ( C2 ) server and wait for additional commands, but it was written in Golang.
- Sosano, to change or get the latest file or working directory.
- yangom, to list the items of the existing index.
- Monday, to register and start an unidentified next-stage payload
- raian to replace a directory or to remove it
- lunna, to run a barrel order
Proofpoint noted that UNK_CraftyCamel’s tradecraft does not conflict with any other well-known danger professional or organization.
According to Joshua Miller, APT Staff Threat Researcher at Proofpoint,” Our research suggests that this plan is good the job of an Iranian-aligned attack, probably affiliated with the Islamic Revolutionary Guard Corps ( IRGC),” said The Hacker News. According to the statement,” The targeted areas are important for both financial stability and national security, making them valuable intelligence priorities in the wider geopolitical landscape.”
” This low-volume, highly targeted phishing campaign used a variety of obfuscation methods and a trusted third-party compromise to target aircraft, dish communications, and critical transportation system in the United States. E. It demonstrates the lengths state-aligned actors will go to to avoid detection and successfully carry out their brains set mandates.