A new cyber espionage campaign has been uncovered targeting a select group of entities in the United Arab Emirates (UAE), focusing on aviation, satellite communications, and critical transportation infrastructure.
The attack, identified by Proofpoint researchers, used advanced obfuscation techniques and a newly discovered backdoor dubbed Sosano, developed using the Go programming language.
The campaign, attributed to an emerging threat cluster labeled UNK_CraftyCamel, used a compromised Indian electronics company to distribute malware-laden emails. These emails, highly tailored to each target, originated from what appeared to be a trusted business relationship, making them particularly effective.
Sophisticated Infection Chain
The attack, first observed in late October 2024, began with phishing emails sent from the compromised account of INDIC Electronics. The emails contained links to a domain mimicking the legitimate INDIC Electronics website (indicelectronics[.]net). Clicking the link triggered the download of a malicious ZIP archive, which appeared to contain harmless PDF and Excel files but actually concealed multiple payloads.
Proofpoint’s analysis revealed that the files included polyglots—files structured to be interpreted in different ways by various software. One file masqueraded as a PDF but contained hidden HTML Application (HTA) code, while another pretended to be an Excel spreadsheet but was actually a shortcut (LNK) file.
These files executed commands that installed the Sosanobackdoor Sosano.
Obfuscation Capabilities
The Sosano backdoor, a 12MB DLL file, is intentionally bloated with unnecessary Golang libraries to complicate analysis. Once executed, it waits a random period before trying to connect to its command-and-control (C2) server, bokhoreshonline[.]com.
Upon establishing communication, Sosano listens for commands that allow malicious actors to:
- Navigate directories and list files
- Download and load additional payloads
- Execute shell commands
- Delete directories
While the backdoor is capable of downloading additional malware (cc[.]exe), Proofpoint could not retrieve this file during its investigation.
Attribution and Potential Iranian Links
While UNK_CraftyCamel is considered a separate entity, its tactics bear similarities to Iranian-aligned groups such as TA451 and TA455, which have historically targeted aerospace and engineering firms. The use of HTA files, business-to-business (B2B) phishing lures, and an interest in UAE-based organizations suggest a potential connection to past Iranian cyber campaigns.
Despite these overlaps, Proofpoint has not definitively attributed UNK_CraftyCamel to any known state-backed actor but acknowledges potential links to the Islamic Revolutionary Guard Corps (IRGC).
Defensive Measures and Industry Implications
This campaign is a prime example of the growing sophistication of cyber espionage operations, particularly those exploiting supply chain vulnerabilities and trusted relationships to evade initial detection.
Firms need to keep their eyes peeled for:
- LNK files executing from recently unzipped directories
- Suspicious URL files stored in Windows registry runkeys
- Executables accessing JPG files in user directories
Also, training staff to recognize domain impersonation and suspicious attachments can help mitigate risk.
Evolving techniques
The UNK_CraftyCamel campaign is a prime example of advanced threat actors evolving their techniques to evade detection. By leveraging polyglot files and deeply obfuscating malware, attackers are making it increasingly difficult for traditional security tools to identify threats.
Proofpoint researchers continue to monitor UNK_CraftyCamel for further developments and have credited PwC Threat Intelligence for their collaboration on this investigation.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
