Cybersecurity researchers have uncovered a new cyber-espionage campaign that targeted aviation, satellite communications, and critical transportation infrastructure in the United Arab Emirates. The attack, attributed to a cluster known as UNK_CraftyCamel by Proofpoint, utilized a sophisticated infection chain to deploy a newly discovered backdoor named Sosano.
The highly targeted attack, which occurred in the fall of 2024, focused on fewer than five organizations. The threat actors sent malicious emails from a compromised Indian electronics company, INDIC Electronics, using highly customized lures. These emails contained a ZIP file with polyglot files to bypass security detections and deploy malware undetected.
Polyglot files are files that can be interpreted in multiple different formats, depending on how they are read, making them a niche but powerful tool for advanced adversaries focused on stealth and obfuscation.
The infection chain identified by Proofpoint involved a ZIP file containing what appeared to be an XLS file and two PDFs. In reality, the XLS file was an LNK file with a deceptive double extension, and the PDFs were polyglots containing hidden malicious files. When executed, these files launched a process to extract and run the Sosano backdoor.
Sosano is a backdoor written in Golang that evades detection by bloating its code with unnecessary libraries. Once executed, it establishes a connection with a command-and-control server and waits for commands, such as listing directories, executing shell commands, and downloading additional payloads.
While some tactics and techniques used in this cyber-espionage campaign overlap with known Iranian-aligned threat actors, Proofpoint has tracked UNK_CraftyCamel as a distinct intrusion cluster and has not definitively linked it to any previously identified group. The focus on aviation and satellite communications in the UAE suggests a strategic intelligence-gathering motive for the attackers.
Security teams have several opportunities to detect the Sosano malware infection chain, including monitoring for LNK files executing from newly created or unzipped directories, detecting the presence of a URL file in the registry run key, and identifying executable files accessing JPG files from user directories.
In addition to these detection opportunities, organizations are advised to train users to be suspicious of unexpected content and to identify common characteristics of malicious content, such as domain impersonation using alternate top-level domains. By being vigilant and implementing strong security measures, organizations can better protect themselves against cyber-espionage campaigns like the one targeting critical infrastructure in the UAE.