Full Report
A cyber-espionage campaign targeting UAE aviation and transport has been identified by researchers, using customized lures to deploy Sosano malware
Analysis Summary
# Threat Actor: UNK_CraftyCamel
## Attribution & Identity
**Identification:** A distinct intrusion cluster tracked by Proofpoint, referred to as **UNK\_CraftyCamel**.
**Known Aliases/Associations:** Tactics show overlap with known Iranian-aligned threat actors such as TA451 and TA455, but definitive linkage has not been established.
## Activity Summary
A cyber-espionage campaign observed in the **Fall of 2024**. The operation focused on intelligence-gathering objectives within the United Arab Emirates (UAE). The campaign utilized highly customized social engineering lures delivered via malicious emails originating from a compromised Indian electronics company, **INDIC Electronics**. The attack successfully targeted fewer than five organizations.
## Tactics, Techniques & Procedures
- **Initial Access:** Spearphishing emails containing ZIP archives.
- **File Deception/Obfuscation:** Use of polyglot files (ZIP containing a polyglot PDF and a polyglot XLS file, which was actually an LNK file using a deceptive double extension).
- **Infection Chain:** Files were structured to deliver an embedded HTA file or a hidden ZIP archive upon execution, ultimately leading to the deployment of the Sosano backdoor.
- **Code Obfuscation:** The Sosano backdoor was written in Golang and bloated with unnecessary libraries to evade detection.
- **Persistence/Execution:** Potential use of URL files in the registry run key to launch payloads.
- **Command and Control:** Sosano establishes connection to C2 servers to await remote commands.
- **Defense Evasion:** Utilizing niche and advanced file formats like polyglot files to bypass security detections.
## Targeting
- **Sectors:** Aviation, satellite communications, and critical transportation infrastructure.
- **Geography:** United Arab Emirates (UAE).
- **Victims:** Fewer than five organizations across the targeted sectors in the UAE.
## Tools & Infrastructure
- **Malware families used:** **Sosano** (a newly discovered backdoor written in Golang).
- **Infrastructure (C2, domains, IPs):** C2 server IPs/domains are not specified in the text, only that Sosano establishes a connection to a command-and-control server.
- **Supply Chain vector:** The attack was launched via emails originating from a compromised third party, **INDIC Electronics** (an Indian electronics company).
## Implications
The campaign demonstrates advanced capabilities, particularly in file format manipulation (polyglots) and advanced evasion techniques, indicating an adversary focused on sophisticated, strategic intelligence gathering against high-value infrastructure in the UAE. The use of a supply chain compromise (INDIC Electronics) highlights a risk vector for organizations dealing with that supplier.
## Mitigations
- Train users to be suspicious of unexpected or unrecognized content, even from known contacts.
- Implement detection mechanisms for domain impersonation using alternate Top-Level Domains (TLDs).
- Monitor for LNK files executing from newly created or unzipped directories.
- Monitor for the presence of a URL file in the registry run key and investigate if URL files launch anything other than a web browser.
- Detect executable files accessing JPG files from user directories, as this can signal pre-execution payload staging.