UAE cyberattack exposes new Sosano malware by Proofpoint

Researchers from Proofpoint have uncovered a highly targeted email-based cyberattack campaign focusing on specific organisations in the United Arab Emirates, particularly those with interests in aviation, satellite communications, and critical transportation infrastructure.

The campaign, identified by Proofpoint and tracked under the name UNK_CraftyCamel, highlighted the advanced sophistication of the threat actors involved.

These adversaries utilised a new form of backdoor malware, dubbed Sosano, which employed several obfuscation techniques to evade detection.

This newly discovered malware was delivered via a multistage infection chain involving polyglot files, a method not typically associated with espionage-led cyber threats as observed by Proofpoint's telemetry.

According to the research findings, the malicious email messages were sent from a compromised account within an existing, trusted business relationship with the targets. "This campaign led to the newly discovered backdoor dubbed Sosano by Proofpoint, which leveraged numerous techniques to obfuscate the malware and its payload, likely indicating an adversary with significant development capabilities with an interest in protecting their payloads from easy analysis," Proofpoint noted. The campaign was highly targeted, affecting fewer than five Proofpoint customers in the UAE.

An important aspect of the campaign's delivery involved the use of a compromised Indian electronics company.

The threat actors impersonated emails from this company and directed targets to a fraudulent domain, indicelectronics[.]net, which mimicked the legitimate domain of the compromised entity, INDIC Electronics.

The fraudulent domain hosted a ZIP file containing the malware, disguised as typical document files to trick the recipients into downloading and executing it.

The malicious ZIP archive initially appeared to contain benign files, such as XLS and PDF files.

However, upon closer inspection, Proofpoint's analysts discovered the XLS was actually a cleverly disguised LNK file, and the PDFs were specially crafted polyglot files.

Polyglot files can be interpreted as multiple formats, making them difficult to analyse and offering a way for malware to evade detection.

Once the payload was executed, the Sosano backdoor initiated a connection to a command and control server, bokhoreshonline[.]com, and awaited further instructions.

The Sosano malware's capacity included functions to change directories, list directory contents, download additional payloads, and execute shell commands, among others.

Proofpoint's infrastructure analysis of UNK_CraftyCamel indicated a low volume, highly targeted approach, with the actors showing advanced capabilities in both malware development and execution. Proofpoint also identified certain overlaps in tactics and methodologies with known groups possibly connected to Iranian-aligned adversaries.

Despite some shared techniques with other entities associated with the Islamic Revolutionary Guard Corps, Proofpoint assessed UNK_CraftyCamel to be a distinct, standalone cluster of threat activity, with a specific focus on UAE-based aviation and satellite communication targets, and critical transport infrastructure.

"This campaign is an example of threat actors leveraging trusted relationships to deliver customized and obfuscated malware to highly selective targets," Proofpoint stated in their analysis.

The research underscores the growing trend of sophisticated actors using supply chain compromises and impersonation tactics to infiltrate and compromise high-value targets.