Full Report
Proofpoint researchers have uncovered a highly targeted email campaign directed at fewer than five of their customers in... The post Proofpoint details likely Iranian-backed Sosano malware targeting UAE’s critical sectors appeared first on Industrial Cyber.
Analysis Summary
# Threat Actor: UNK\_CraftyCamel
## Attribution & Identity
The cluster of activity is designated as **UNK\_CraftyCamel** by Proofpoint researchers.
* **Attribution Assessment:** Currently assessed as a separate cluster of intrusion activity, though broader infrastructure analysis indicates **possible connections with Iranian-aligned adversaries**, specifically showing **TTP similarities with suspected Islamic Revolutionary Guard Corps (IRGC) aligned campaigns** tracked as TA451 and TA455.
* **Aliases/Associated Groups:** Does not overlap with any other identified cluster tracked by Proofpoint at this time.
## Activity Summary
UNK\_CraftyCamel engaged in a highly targeted email campaign observed in the **fall of 2024**, directed at fewer than five customers in the UAE.
* The initial access vector involved compromising an entity with a trusted business relationship with the targets: **INDIC Electronics**, an Indian electronics company.
* Actors leveraged access to a **compromised email account** belonging to INDIC Electronics in late October 2024.
* Malicious emails contained lures tailored to each recipient and pointed to the actor-controlled domain **indicelectronics\[dot\]net** (mimicking the legitimate domain) to download a malicious ZIP archive.
* This campaign demonstrates an intent to use **supply chain compromise** by targeting a trusted third party (supplier) interacting with the final victims.
## Tactics, Techniques & Procedures
- **Delivery:** Highly targeted malicious email, leveraging a **compromised upstream supplier** (supply chain compromise).
- **Obfuscation/Payload Concealment:** Extensive use of **polyglot files** to conceal payload content, a rare technique among espionage-driven actors in Proofpoint's telemetry. Polyglots included a PDF appended with an HTA, and a PDF file with a ZIP archive appended.
- **Execution:** Used a malicious ZIP archive containing an LNK file (using a double extension) which ultimately installed the custom backdoor. The campaign also utilized **HTA files** in highly targeted campaigns in the UAE (similar to TA451).
- **Persistence/Malware:** Deployment of a custom Go-based backdoor named **Sosano**.
- **Evasion:** Sosano employs techniques to obfuscate the malware and payload. Upon execution, the malware executes a **sleep routine** using the system time as a seed for a PRNG to evade automated analysis sandboxes.
- **C2/Interaction:** The Sosano backdoor establishes HTTP communication with the C2 server, periodically sending GET requests to await instructions.
## Targeting
* **Sectors:** Aviation, satellite communications organizations, and critical transportation infrastructure.
* **Geography:** **United Arab Emirates (UAE)**.
* **Victims:** Fewer than five specific customers in the UAE who have interests in the targeted sectors. The initial compromise occurred at **INDIC Electronics** (an Indian electronics company).
* **Lures:** Found to share a preference for approaching targets with **business-to-business sales offers**, subsequently targeting engineers within those companies (similar to TA455).
## Tools & Infrastructure
* **Malware Families Used:** **Sosano** (a custom DLL written in Golang).
* **Infrastructure:** Actor-controlled domain **indicelectronics\[dot\]net**.
## Implications
UNK\_CraftyCamel possesses advanced development skills, evidenced by the sophisticated use of polyglot files and a custom Go backdoor (Sosano) designed for obfuscation. The primary strategic implication is the successful execution of a **supply chain attack** against highly selective targets, leveraging established trust relationships to lower the chance of detection for email-based threats. The group appears to be driven by a clear mandate, likely intelligence collection related to sensitive infrastructure and technology sectors in the UAE.
## Mitigations
- Train users to be suspicious of **unexpected or unrecognized content originating from known contacts**.
- Focus on identifying common characteristics of malicious content, such as **domain impersonation using alternate top-level domains** (e.g., indicelectronics\[dot\]net vs. legitimate domain).
- Monitor for and analyze sophisticated file types, especially **polyglot files**, which demand specialized analysis techniques.
- Implement security controls capable of detecting **Go-based malware** and its associated evasion techniques (e.g., initial sleep routines).