HQ/EMEAFind out how we can help your business
A newly discovered cyberespionage campaign that uses the Sosano malware is targeting the aviation industry, satellite communications, and transportation infrastructure based in the UAE.
Researchers have linked this new campaign to a malicious cybercriminal entity dubbed UNK_CraftyCamel. According to reports, this group currently uses a clever infection chain to deliver the malware mentioned earlier.
This attack allegedly started in the fall of last year and targeted less than firms with fraudulent emails sent by INDIC Electronics, a compromised Indian electronics company. The threat actors employed highly customised lures, such as a ZIP file containing polyglot files, to bypass security detections and deploy malware undetected.
The researchers explained that the polyglot files are archives that can be read in multiple formats. They are generated by carefully organising data so that different parsers interpret the same file differently, frequently using format-specific oddities or overlapping headers.
In addition, they are not widely used in ordinary software development, but they remain valuable tools in specialised technical sectors. Hence, the researchers believe using such approaches indicates an advanced opponent focused on stealth and obfuscation.
The threat actors may have deployed the Sosano backdoor malware through a compromised ZIP file.
Investigations uncovered an infection chain that allegedly began with a ZIP file containing an XLS file and two PDFs to deploy the Sosano malware. The XLS file was an LNK file with a deceptive double extension, while the PDFs were polyglots, one with an embedded HTA file and the other with a concealed ZIP archive.
Once a target executes the files, these archives start a process that extracts and operates Sosano. This Golang backdoor malware evades discovery by bloating its code with extraneous libraries. Upon execution, it connects to a C2 server and waits for commands.
These tasks include listing folders, running shell commands, and downloading additional payloads.
Researchers identified this malware as a separate intrusion cluster in a UNK_CraftyCamel campaign. While several strategies and techniques share similarities with known Iranian-aligned threat actors like TA451 and TA455, the researchers have not linked this behaviour to any previously detected group.
This newly discovered operation currently focuses on aviation and satellite communications in the UAE, which indicates that the group is executing a strategic intelligence-gathering operation.
