Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Suspected Iranian Hackers Used Compromised Indian Firm’s Email to Target U.A.E. Aviation Sector

The Hacker News by The Hacker News
March 4, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Mar 04, 2025Ravie LakshmananCyber Espionage / Malware

Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out “fewer than five” entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano.

The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October 2024. The enterprise security firm is tracking the emerging cluster under the moniker UNK_CraftyCamel.

A noteworthy aspect of the attack chain is the fact that the adversary took advantage of its access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. The entity is said to have been in a trusted business relationship with all the targets, with the lures tailored to each of them.

Cybersecurity

“UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano,” Proofpoint said in a report shared with The Hacker News.

The emails contained URLs that pointed to a bogus domain masquerading as the Indian company (“indicelectronics[.]net”), hosting a ZIP archive that included an XLS file and two PDF files.

But in reality, the XLS file was a Windows shortcut (LNK) using a double extension to pass off as a Microsoft Excel document. The two PDF files, on the other hand, turned out to be polyglots: one that was appended with an HTML Application (HTA) file and the other with a ZIP archive appended to it.

This also meant that both PDF files could be interpreted as two different valid formats depending on how they are parsed using programs like file explorers, command-line tools, and browsers.

The attack sequence analyzed by Proofpoint entails using the LNK file to launch cmd.exe and then using mshta.exe to run the PDF/HTA polyglot file, leading to the execution of the HTA script that, in turn, contains instructions to unpack the contents of the ZIP archive present within the second PDF.

Target UAE Aviation Sector

One of the files in the second PDF is an internet shortcut (URL) file that’s responsible for loading a binary, which subsequently looks for an image file that’s ultimately XORed with the string “234567890abcdef” to decode and run the DLL backdoor called Sosano.

Written in Golang, the implant carries a limited functionality to establish contact with a command-and-control (C2) server and await further commands –

  • sosano, to get current directory or change working directory
  • yangom, to enumerate the contents of the current directory
  • monday, to download and launch an unknown next-stage payload
  • raian, to delete or remove a directory
  • lunna, to execute a shell command

Proofpoint noted that the tradecraft demonstrated by UNK_CraftyCamel does not overlap with any other known threat actor or group.

Cybersecurity

“Our analysis suggests that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC),” Joshua Miller, APT Staff Threat Researcher at Proofpoint, told The Hacker News. “The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape.”

“This low volume, highly targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target aviation, satellite communications, and critical transportation infrastructure in the U.A.E. It demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Huawei schlägt ein neues innovatives Kapitel auf, mit der weltweiten Veröffentlichung eines dreifach gefalteten Smartphones, Tablets der nächsten Generation und Open-Ear-Audio

Huawei schlägt ein neues innovatives Kapitel auf, mit der weltweiten Veröffentlichung eines dreifach gefalteten Smartphones, Tablets der nächsten Generation und Open-Ear-Audio

Recommended.

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws

OttoKit WordPress Plugin with 100K+ Installs Hit by Exploits Targeting Multiple Flaws

May 7, 2025
Government announces inevitable end to Payments Services Regulator | Computer Weekly

Government announces inevitable end to Payments Services Regulator | Computer Weekly

March 13, 2025

Trending.

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

⚡ Weekly Recap: Oracle 0-Day, BitLocker Bypass, VMScape, WhatsApp Worm & More

October 6, 2025
Cloud Computing on the Rise: Market Projected to Reach .6 Trillion by 2030

Cloud Computing on the Rise: Market Projected to Reach $1.6 Trillion by 2030

August 1, 2025
Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

Stocks making the biggest moves midday: Autodesk, PayPal, Rivian, Nebius, Waters and more

July 14, 2025
The Ultimate MSP Guide to Structuring and Selling vCISO Services

The Ultimate MSP Guide to Structuring and Selling vCISO Services

February 19, 2025
Translators’ Voices: China shares technological achievements with the world for mutual benefit

Translators’ Voices: China shares technological achievements with the world for mutual benefit

June 3, 2025

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio