In a highly targeted cyber espionage campaign, threat actors exploited trusted business relationships to infiltrate the aviation and satellite communications sectors in the United Arab Emirates (UAE).
Researchers from Proofpoint uncovered this operation, which involved the deployment of a custom backdoor malware dubbed “Sosano” through advanced obfuscation techniques.
The campaign, attributed to a threat cluster named UNK_CraftyCamel, demonstrates the evolving tactics of adversaries seeking to compromise critical infrastructure.
Leveraging Trusted Third Parties for Supply Chain Attacks
The attack began in October 2024 when hackers compromised an email account belonging to an Indian electronics company, INDIC Electronics.
Using this trusted entity, they sent phishing emails containing malicious URLs to fewer than five targeted organizations in the UAE.
These URLs redirected victims to a domain mimicking INDIC Electronics’ legitimate site, hosting a ZIP archive that concealed polyglot files and a malicious LNK file.
Polyglot files rarely seen in espionage campaigns are designed to function as multiple file types depending on how they are read, showcasing the attackers’ technical sophistication.
The infection chain involved executing the LNK file, which triggered a complex sequence of commands using mshta.exe to process the polyglot files.
These files extracted additional payloads, including the Sosano backdoor, which was hidden within an XOR-encrypted JPG file.
The malware’s obfuscation techniques included bloating its code with unused Golang libraries and embedding deceptive XOR keys to complicate analysis.
Sosano Backdoor: A Tool for Espionage
The Sosano backdoor is a Golang-based DLL with limited functionality but significant stealth capabilities.
Once executed, it connects to a command-and-control (C2) server and awaits instructions.
The backdoor supports commands such as directory traversal, downloading additional payloads, executing shell commands, and deleting directories.
Its ability to evade detection is enhanced by random sleep routines and encrypted communication with its C2 infrastructure.
Proofpoint researchers noted similarities between UNK_CraftyCamel’s tactics and those of Iranian-aligned groups TA451 and TA455, both known for targeting aerospace organizations.
However, despite shared techniques such as using HTA files and business-to-business lures the researchers assess UNK_CraftyCamel as a distinct entity.
This campaign underscores the risks posed by supply chain compromises and trusted relationships in cybersecurity.
By leveraging upstream suppliers like INDIC Electronics, attackers bypass traditional defenses and gain access to high-value targets with minimal suspicion.
The focus on aviation and satellite communications highlights the strategic interest in disrupting critical transportation infrastructure in the region.
Organizations are advised to bolster defenses by training employees to recognize suspicious content from known contacts and implementing advanced detection mechanisms for obfuscated malware.
Indicators of compromise (IoCs), such as malicious domains (indicelectronics[.]net) and C2 servers (bokhoreshonline[.]com), should be actively monitored.
Proofpoint’s findings serve as a reminder of the persistent threats facing critical sectors globally and highlight the importance of collaboration between cybersecurity firms and intelligence teams to mitigate risks effectively.
