- Proofpoint observes a sophisticated BEC attack in the UAE
- The attackers used a compromised email account to share polyglot files with their victims
- These files deploy a hidden backdoor against aviation firms
Aviation firms in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business email compromise (BEC) attack looking to deploy advanced malware.
Cybersecurity researchers Proofpoint recently said they observed customers in the country, “with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure,” being targeted.
The attacks started in late 2024, when a threat actor dubbed UNK_CraftyCamel compromised an Indian electronics company the aviation firms did business with in the past. They used that company’s email account to spread multiple polyglot files, and by using their partner’s email account, the attackers retained a sense of legitimacy, while trying to deploy malware in typical BEC fashion.
Unknown attackers
The infection chain they were looking for starts with polyglot files – these are files that can function as multiple formats simultaneously, allowing them to evade traditional detection mechanisms. While somewhat uncommon, polyglot files were observed in cyberattacks before, Proofpoint says, most notably in the Emmenthaler loader attacks.
Eventually, these files lead to the installation of a custom Go-based backdoor called Sosano, designed to maintain access and execute other malicious commands remotely. The attackers’ effort to conceal the attack didn’t stop with polyglot files, either. The backdoor’s size was bloated through unused Golang libraries, and its execution was delayed, to avoid detection in sandbox environments.
Proofpoint said Sosano connected to a remote server bokhoreshonline[.]com to receive commands and potentially download further payloads.
While the researchers do not directly link UNK_CraftyCamel to known groups, they note similarities with Iran-aligned threat actors TA451 and TA455, both associated with the Islamic Revolutionary Guard Corps (IRGC).
“Both groups historically focused on targeting aerospace aligned organizations. Furthermore,TA451 and UNK_CraftyCamel both used HTA files in highly targeted campaigns in the UAE; and TA455 and UNK_CraftyCamel share a preference for approaching targets with business-to-business sales offers, followed by targeting engineers within the same companies,” the researchers said. “Despite these similarities, Proofpoint assesses UNK_CraftyCamel to be a separate cluster of intrusion activity.”
Leave a comment