Full Report
Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates (U.A.E.) to deliver a previously undocumented Golang backdoor dubbed Sosano. The malicious activity was specifically directed against aviation and satellite communications organizations, according to Proofpoint, which detected it in late October
Analysis Summary
# Threat Actor: UNK\_CraftyCamel
## Attribution & Identity
* **Identification:** Threat actor cluster tracked under the moniker **UNK\_CraftyCamel**.
* **Attribution:** Suspected to be Iranian hackers. Proofpoint notes that the demonstrated tradecraft does not overlap with any other known threat actor or group.
* **Known Aliases/Associations:** None specified in the context, but they leveraged a compromised email account belonging to the Indian electronics company INDIC Electronics to facilitate the attack chain.
## Activity Summary
This threat actor was detected in late October 2024 conducting a "highly-targeted phishing campaign" aimed at organizations in the United Arab Emirates (U.A.E.). The adversary utilized access to a compromised email account from INDIC Electronics (an Indian firm with a trusted business relationship with the targets) to send custom-tailored phishing messages. The ultimate goal appears to be cyber espionage, involving the deployment of a custom Golang backdoor named Sosano.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Phishing via compromised trusted third-party email account (INDIC Electronics).
- **Lure Content:** Malicious ZIP file delivered via email, containing deceptive file types.
- **File Execution/Masquerading (Polyglots):** Leveraged multiple polyglot files to evade detection and chain execution:
- LNK file masquerading as an XLS document (using double extension).
- PDF file appended with an HTML Application (HTA) file.
- Second PDF file appended with a ZIP archive.
- **Chained Execution:** The LNK file launched `cmd.exe`, which then used `mshta.exe` to run the PDF/HTA polyglot. This executed the HTA script, which unpacked the contents of the ZIP archive from the second PDF.
- **Payload Dropper:** An internet shortcut (URL) file initiated the loading of a binary.
- **Payload Decoding:** The binary located an image file that was XORed with the string "234567890abcdef" to decode and execute the final DLL backdoor (**Sosano**).
- **Backdoor Functionality (Sosano):** Written in Golang, it establishes C2 communication and supports commands such as: `sosano` (get/change directory), `yangom` (enumerate directory), `monday` (download/launch next-stage payload), `raian` (delete directory), and `lunna` (execute shell command).
- **MITRE ATT&CK IDs:** None explicitly mentioned in the context snippet.
## Targeting
- **Sectors:** Aviation and satellite communications organizations.
- **Geography:** United Arab Emirates (U.A.E.).
- **Victims:** Fewer than five organizations were specifically targeted in the U.A.E.
## Tools & Infrastructure
- **Malware Families Used:** Sosano (custom Golang backdoor).
- **Infrastructure:**
- Bogus domain masquerading as the compromised Indian company: `indicelectronics[.net]` (defanged).
- C2 infrastructure necessary for the Sosano C2 communication (details not specified beyond functionality).
## Implications
This actor demonstrates sophisticated, multi-stage tradecraft emphasizing stealth and evasion, particularly through advanced file masquerading (polyglots and double extensions) and custom, low-level backdoors (Golang). The use of a compromised, trusted third-party vendor (Indian firm) highlights a supply chain risk vector specifically leveraged to gain trust with high-value U.A.E. targets. The targeted nature suggests high-value intelligence collection objectives against critical infrastructure sectors.
## Mitigations
- Implement enhanced inspection of email attachments, particularly those leveraging complex file types or unexpected extensions (LNK, polyglots).
- Review security controls for execution chains involving `cmd.exe` or `mshta.exe`, especially when triggered by document files.
- Enhance monitoring for suspicious file operations, including processes reading or decoding files based on specific XOR strings.
- Scrutinize digital communications originating from known or trusted third-party vendors for signs of compromise, especially when lures reference existing business relationships.