Hunters pay attention to a new high -level phishing campaign that nominated “less than five” legal entities in the United Arab Emirates (UAE) to deliver the previously unregistered back Galan Sosan.
According to Profpoint, which discovered it in late October 2024, was specially aimed at aviation and satellite communication organizations. Unk_craftcamel.
The characteristic aspect of the attack chain is that the opponent took advantage of his access to a compromised email account owned by the Indian Electronics Company, indicates electronic electronic information to send phishing messages. It is said that the legal entity was on trusted business relations with all the goals, while the baits, taking into account each of them.
“UNK_CRAFTYCamel used a disturbed Indian Electronics Company to focus on less than five organizations in the United Arab Emirates with a harmful postal file that used multiple Polyglot -folk To eventually set a custom posterior report Share with Hacker News.
The e -mails contained the URL, indicating a dummy domain, which is masked as an Indian company (“Indicelectronics (.) Net”, which conducted an archive of ZIP, which included the XLS file and two PDF files.
But in reality, the XLS file was a Windows (LNK) shortcut using a double extension to go as a Microsoft Excel document. On the other hand, two PDF files were polyglots: the one that was added using the HTML (HTA) file and the other with the ZIP archive is added to it.
It also meant that both PDF files can be interpreted as two different valid formats depending on how they are disassembled using programs such as file researchers, command line tools and browsers.
The attack sequence analyzed by ProfofPoint entails the use of the LNK file to run cmd.exe, and then using Mshta.exe to run PDF/HTA Polyglot file, which will lead the hta script, which in turn contains the instructions for steaming the content of the archive, which is in the second pdf.
One of the files in the second PDF is a quick access file (URL), which is responsible for booting the binary that is further looking for an image file that ultimately Xored With the line “234567890abcdef” to decrypt and run a dll backdoor called Sosano.
The implant written in Golang carries limited functionality to establish contact with the team server and control (C2) and wait for further teams-
- SosanoTo get the current directory or change the work directory
- ato list the contents of the current directory
- MondayTo download and run an unknown useful load at the next stage
- RyanDelete or delete the directory
- Lunnato execute the shell command
ProfofPoint noted that TradeCraft, demonstrated by Unk_craftyCamel, does not intersect with any famous actor and threat group.
“Our analysis suggests that this company is probably the work of the Iranian enemy, perhaps related to the Islamic Revolutionary Corps of the Guard (IRGC),” said Joshua Miller, threatening PROFPOINT, Hacker News. “The target sectors are crucial for both economic stability and national security, making them valuable exploration goals in a broader geopolitical landscape.”
“This low volume, a highly focused phishing company used several methods of aggravation, along with a trusted third compromise to orientation to aviation, satellite communication and critical transport infrastructure in the UAE, it demonstrates the length to which the state actors will go to the detection and execution of their mandates.”
