A sophisticated cyber espionage campaign targeting the aviation and satellite communications sectors in the United Arab Emirates has been uncovered by Proofpoint researchers.
The operation, attributed to a threat cluster dubbed “UNK_CraftyCamel,” demonstrates advanced techniques, including leveraging trusted business relationships and deploying obfuscated malware, to infiltrate critical transportation infrastructure in the region.
Highly Targeted Approach
The campaign, which began in late 2024, utilized a compromised email account belonging to an Indian electronics company, INDIC Electronics, to send spear-phishing emails to fewer than five organizations in the UAE.
The emails contained malicious URLs mimicking legitimate domains (indicelectronics[.]net), leading recipients to download a ZIP archive embedded with polyglot files a rare and technically advanced method of malware delivery.
These polyglot files were designed to evade detection by exploiting format-specific quirks, enabling them to masquerade as legitimate PDF and XLS files while delivering their payload.
Proofpoint researchers identified that the ZIP archive contained a double-extension LNK file and two polyglot PDFs.
Upon execution, the LNK file triggered a chain of events involving cmd[.]exe and mshta[.]exe processes that ultimately installed a custom backdoor named “Sosano.”
This backdoor, written in Golang, showcased significant obfuscation efforts, including bloated code and unused libraries, complicating analysis for cybersecurity experts.
Sosano Backdoor Functionality
The Sosano backdoor operates as a DLL with limited yet potent capabilities.
Once executed, it connects to its command-and-control (C2) server (bokhoreshonline[.]com) and awaits instructions.
Commands include directory navigation, payload downloading, shell command execution, and directory deletion.
The malware also employs evasion tactics such as random sleep routines to bypass automated sandbox detection systems.
Although researchers were unable to retrieve the next-stage payload during their investigation, they noted additional embedded XOR keys that could be used for future iterations of the malware.
While UNK_CraftyCamel has no direct overlap with other known threat clusters, Proofpoint analysts observed similarities with Iranian-aligned groups such as TA451 and TA455.
Both clusters have historically targeted aerospace organizations and employed similar tactics like HTA file delivery and business-to-business sales lures.
Despite these parallels, UNK_CraftyCamel is assessed as an independent entity with a clear mandate focused on UAE aviation and satellite communications sectors.
This campaign highlights the growing trend of adversaries exploiting supply chain vulnerabilities by compromising trusted third-party entities.
Such tactics reduce initial detection rates and increase the likelihood of successful infiltration into high-value targets.
Organizations are advised to enhance employee training on identifying malicious content from known contacts and implement robust detection mechanisms for unusual file behaviors such as LNK files executing from recently unzipped directories or executables accessing JPG files from user directories.
Proofpoint’s findings underscore the importance of vigilance against increasingly sophisticated cyber threats targeting critical infrastructure sectors globally.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
