Full Report
A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates. [...]
Analysis Summary
# Incident Report: Polyglot Malware Campaign Targeting Aviation and Satellite Firms
## Executive Summary
A sophisticated, multi-stage attack campaign utilizing polyglot malware targeted the aviation and satellite communication sectors. The attackers leveraged spear-phishing emails originating from a compromised third party, using LNK files and specially crafted polyglot PDF documents to evade detection. The final payload deployed was the Sosano Go-based backdoor, establishing command and control for potential further compromise.
## Incident Details
- Discovery Date: Not explicitly stated, but context suggests recent observation by Proofpoint.
- Incident Date: Not explicitly stated, but ongoing observation of a new campaign.
- Affected Organization: Aviation and satellite communication firms (Specific victims not named, attack originated via compromised Indian electronics company INDIC Electronics).
- Sector: Aviation, Satellite Communications, Electronics (Supply Chain).
- Geography: Originating lure from India.
## Timeline of Events
### Initial Access
- Date/Time: During the observed campaign period.
- Vector: Highly targeted spear-phishing email.
- Details: Emails were sent from a compromised Indian electronics company (INDIC Electronics) containing malicious URLs.
### Lateral Movement
- Details: The infection chain focuses on execution persistence via the Windows Registry for subsequent steps, rather than observed network lateral movement in this initial summary. Persistence was established using a URL file written to the Registry.
### Data Exfiltration/Impact
- Details: The final payload deployed was the Sosano backdoor (yourdllfinal.dll), capable of file operations, shell command execution, and fetching additional payloads, suggesting intent for data harvesting and deeper compromise.
### Detection & Response
- Detection: Observed by threat intelligence firm Proofpoint.
- Response Actions: Defending against polyglot threats requires email scanning, user education, and security software capable of detecting multiple file formats within a single file.
## Attack Methodology
- Initial Access: Spear-phishing leading to a download of "OrderList.zip" from a spoofed domain (indicelectronics\[.\]net).
- Persistence: A URL file was written to the Windows Registry upon execution of the hidden ZIP archive content.
- Privilege Escalation: Not explicitly detailed, but execution relied on user interaction with a decoy LNK file.
- Defense Evasion: Primary evasion technique involved using polyglot PDF files. Security scanners inspected only the benign PDF structure, ignoring the embedded malicious code (HTA/ZIP).
- Credential Access: Not explicitly detailed in this summary.
- Discovery: The HTA script executed subsequent files, including an XOR-encoded JPEG that decoded the final DLL payload.
- Lateral Movement: Not detailed.
- Collection: The final Sosano backdoor allows for file operations and fetching further payloads.
- Exfiltration: Communication established with C2 server bokhoreshonline\[.\]com, indicating potential exfiltration readiness.
- Impact: Deployment of the backdoor malware (Sosano), enabling remote access and control.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Potential for sensitive data theft confirmed by backdoor capabilities.
- Operational: Potential disruption related to C2 communication and malware execution.
- Reputational: Risk due to targeting sensitive sectors like aviation and satellite communications.
## Indicators of Compromise
- Network Indicators (Defanged):
- C2 Domain: bokhoreshonline\[.\]com
- Initial Download Domain: indicelectronics\[.\]net (Spoofed)
- File Indicators:
- Archive Contents: LNK file, "about-indic.pdf" (HTA payload), "electronica-2024.pdf" (ZIP payload).
- Final Payload: yourdllfinal.dll (Sosano backdoor).
- Behavioral Indicators:
- Execution of mshta.exe by cmd.exe following LNK execution.
- Decoding of XOR-encoded JPEG to drop DLL payload.
- Registry modification to establish persistence via URL file.
## Response Actions
- Containment: Not detailed, but implicitly involves isolating affected systems and blocking C2 communication.
- Eradication Steps: Not detailed, but required removal of the Sosano payload and associated registry keys.
- Recovery Actions: Not detailed, but required hardening email gateways and application controls.
## Lessons Learned
- Polyglot files represent a significant evasion technique, effectively hiding malicious content within seemingly benign file structures (e.g., PDF hiding HTA/ZIP).
- Security tools must be configured to deeply inspect file contents or specifically identify and flag polyglot structures.
- Third-party compromise (INDIC Electronics) served as a trusted initial vector for a supply chain-adjacent attack.
## Recommendations
- Implement strict email gateway controls to block dangerous file types such as LNK, HTA, and ZIP files, especially when originating from external sources, unless absolutely required for operations.
- Enhance endpoint detection and response (EDR) capabilities to monitor for unusual process chains involving mshta.exe execution initiated by common document handlers.
- Deploy security software capable of deep content inspection that can detect and analyze multiple file formats embedded within a single container file.
- Review user security awareness training specifically regarding attachments from vendors/partners originating from unexpected sources.