Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out “fewer than five” entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano.
The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October 2024. The enterprise security firm is tracking the emerging cluster under the moniker UNK_CraftyCamel.
A noteworthy aspect of the attack chain is the fact that the adversary took advantage of its access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. The entity is said to have been in a trusted business relationship with all the targets, with the lures tailored to each of them.
“UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano,” Proofpoint said in a report shared with The Hacker News.
The emails contained URLs that pointed to a bogus domain masquerading as the Indian company (“indicelectronics[.]net”), hosting a ZIP archive that included an XLS file and two PDF files.
But in reality, the XLS file was a Windows shortcut (LNK) using a double extension to pass off as a Microsoft Excel document. The two PDF files, on the other hand, turned out to be polyglots: one that was appended with an HTML Application (HTA) file and the other with a ZIP archive appended to it.
This also meant that both PDF files could be interpreted as two different valid formats depending on how they are parsed using programs like file explorers, command-line tools, and browsers.
The attack sequence analyzed by Proofpoint entails using the LNK file to launch cmd.exe and then using mshta.exe to run the PDF/HTA polyglot file, leading to the execution of the HTA script that, in turn, contains instructions to unpack the contents of the ZIP archive present within the second PDF.
One of the files in the second PDF is an internet shortcut (URL) file that’s responsible for loading a binary, which subsequently looks for an image file that’s ultimately XORed with the string “234567890abcdef” to decode and run the DLL backdoor called Sosano.
Written in Golang, the implant carries a limited functionality to establish contact with a command-and-control (C2) server and await further commands –
- sosano, to get current directory or change working directory
- yangom, to enumerate the contents of the current directory
- monday, to download and launch an unknown next-stage payload
- raian, to delete or remove a directory
- lunna, to execute a shell command
Proofpoint noted that the tradecraft demonstrated by UNK_CraftyCamel does not overlap with any other known threat actor or group.
“Our analysis suggests that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC),” Joshua Miller, APT Staff Threat Researcher at Proofpoint, told The Hacker News. “The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape.”
“This low volume, highly targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target aviation, satellite communications, and critical transportation infrastructure in the U.A.E. It demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully.”
