Security researchers have uncovered a sophisticated phishing campaign targeting a small number of entities in the United Arab Emirates, specifically in the aviation and satellite communications sectors, with the goal of delivering a previously unknown Golang-based backdoor known as Sosano.
The campaign, detected by Proofpoint in late October 2024, is attributed to a threat actor tracked under the name UNK_CraftyCamel. This actor leveraged a compromised email account belonging to the Indian electronics company INDIC Electronics to send tailored phishing emails to fewer than five organizations in the UAE.
A notable aspect of this campaign is the use of a trusted third-party compromise to gain credibility with the targets. The emails contained URLs pointing to a fake domain mim! ck-ing the Indian company, hosting a ZIP archive with an XLS file and two PDF files.
Proofpoint’s analysis reveals that the attack involves multiple polyglot files, including a Windows shortcut (LNK) file disguised as a Microsoft Excel document, and two PDF files that are actually polyglots containing an HTML Application (HTA) file and a ZIP archive, respectively.
The LNK file launches cmd.exe, which then runs the PDF/HTA polyglot file using mshta.exe, leading to the execution of the HTA script that unpacks the contents of the ZIP archive present within the second PDF.
The final payload is a Golang-based backdoor called Sosano, which is XORed with a specific string to decode and run. Sosano has limited functionality, allowing it to establish contact with a command-and-control (C2) server and await further commands.
The backdoor’s capabilities include:
- sosano, to get the current directory or change the working directory
- yangom, to enumerate the contents of the current directory
- monday, to download and launch an unknown next-stage payload
- raian, to delete or remove a directory
- lunna, to execute a shell command
According to Proofpoint, the tactics, techniques, and procedures (TTPs) employed by UNK_CraftyCamel do not overlap with any known threat actor or group.
Joshua Miller, APT Staff Threat Researcher at Proofpoint, believes that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC). The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets.
“This low-volume, highly targeted phishing campaign demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully,” Miller added.
