Threat Hunters are singled out “less than five” entities in the United Arab Emirates (UAE) to bring attention to a new, highly targeted phishing campaign that offers a sosano called the previously undocumented Golan backdoor.
Malicious activity was specifically directed towards aviation and satellite communications organizations, according to ProofPoint, which was detected in late October 2024. Enterprise security companies are tracking emerging clusters under NOK_CRAFTYCAMEL.
A notable aspect of the attack chain is the fact that the enemy used access to a compromised email account belonging to the Indian e-companying company Inding Electronics to send phishing messages. The entity is said to have had a reliable business relationship with all its targets, with the lure being tailored to each one.
“UNK_CRAFTYCAMEL leveraged the compromised Indian electronic company to target fewer than five organizations in the United Arab Emirates, and targeted malicious ZIP files that utilize multiple polyglot files to eventually install SOSANO, known as Custom Go Backdoor.”
The email contained a URL pointing to a fake domain spoofing an Indian company (“indicelectronics”)[.]net”), hosts a ZIP archive containing an XLS file and two PDF files.
But in reality, the XLS file was a Windows shortcut (LNK) that I pass as a Microsoft Excel document using double extensions. Meanwhile, the two PDF files were found to be polyglots. One is added as an HTML application (HTA) file, and the other is added with a ZIP archive.
This also meant that both PDF files could be interpreted as two different valid formats depending on how they were parsed using programs such as File Explorer, Command Line Tools, and Browsers.
The attack sequence analyzed by ProofPoint leads to running an HTA script containing steps to launch CMD.EXE using an LNK file, run a PDF/HTA polyglot file using MSHTA.EXE, and unpack the content of the ZIP archive that resides in the second PDF.
One of the files in the second PDF is an Internet Shortcut (URL) file that is responsible for loading the binary. This will decode and run a DLL backdoor called Sosano, and look for an image file that is finally XLOWE with XLOWE with XLOWE with XLOED with XLOW with XLE.
The implant written in Golang has limited functionality to establish contact with the Command and Control (C2) server, and waits for more commands –
SOSANO, get current directory, change working directory, enumerate the contents of the current directory on Monday, download and launch unknown next stage payload Raian, remove or delete directory Lunna, run shell commands
Proofpoint noted that the Conference of Commerce, demonstrated by UNK_CRAFTYCAMEL, does not overlap with other known threat actors or groups.
“Our analysis suggests that the campaign is probably a counterpart of Iran’s counterpart, and is probably partnering with the Islamic Revolutionary Guard (IRGC),” Joshua Miller, threat researcher for APT staff at ProofPoint, told Hacker News. “Targeted sectors are important for both economic stability and national security, and are valuable information targets in the broader geopolitical landscape.”
“This low-volume, highly targeted phishing campaign leveraged multiple obfuscation technologies, along with reliable third-party compromises on aviation, satellite communications and the UAE’s critical transportation infrastructure.
Source link
