Aviaton firms hit by devious new polyglot malware
Date:
Wed, 05 Mar 2025 15:15:00 +0000
Description:
Hackers are engaged in a highly targeted attack, targeting individuals in UAE.
FULL STORY ======================================================================
- Proofpoint observes a sophisticated BEC attack in the UAE
- The attackers used a compromised email account to share polyglot files with their victims
- These files deploy a hidden backdoor against aviation firms
Aviation firms in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business email compromise (BEC) attack looking to deploy advanced malware .
Cybersecurity researchers Proofpoint recently said they observed customers in the country, with a distinct interest in aviation and satellite
communications organizations, along with critical transportation infrastructure, being targeted.
The attacks started in late 2024, when a threat actor dubbed UNK_CraftyCamel compromised an Indian electronics company the aviation firms did business
with in the past. They used that companys email account to spread multiple polyglot files, and by using their partners email account, the attackers retained a sense of legitimacy, while trying to deploy malware in typical BEC fashion.
Unknown attackers
The infection chain they were looking for starts with polyglot files - these are files that can function as multiple formats simultaneously, allowing them to evade traditional detection mechanisms. While somewhat uncommon, polyglot files were observed in cyberattacks before, Proofpoint says, most notably in the Emmenthaler loader attacks.
Eventually, these files lead to the installation of a custom Go-based
backdoor called Sosano, designed to maintain access and execute other
malicious commands remotely. The attackers effort to conceal the attack didnt stop with polyglot files, either. The backdoors size was bloated through
unused Golang libraries, and its execution was delayed, to avoid detection in sandbox environments.
Proofpoint said Sosano connected to a remote server bokhoreshonline[.]com to receive commands and potentially download further payloads.
While the researchers do not directly link UNK_CraftyCamel to known groups, they note similarities with Iran-aligned threat actors TA451 and TA455, both associated with the Islamic Revolutionary Guard Corps (IRGC).
Both groups historically focused on targeting aerospace aligned
organizations. Furthermore,TA451 and UNK_CraftyCamel both used HTA files in highly targeted campaigns in the UAE; and TA455 and UNK_CraftyCamel share a preference for approaching targets with business-to-business sales offers, followed by targeting engineers within the same companies, the researchers said. Despite these similarities, Proofpoint assesses UNK_CraftyCamel to be a separate cluster of intrusion activity.
======================================================================
Link to news story:
https://www.techradar.com/pro/security/aviaton-firms-hit-by-devious-new-polygl ot-malware
$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)