Proofpoint researchers have uncovered a highly targeted, email-based cyberattack campaign aimed at fewer than five organizations in the United Arab Emirates (UAE). These organizations, specifically involved in aviation, satellite communications, and critical transportation infrastructure, were carefully selected as targets due to their strategic importance.
The cyberattack, attributed to an adversarial group tracked as UNK_CraftyCamel, employed sophisticated methods to deliver a malicious payload and leveraged a new backdoor malware known as Sosano.
The attack was conducted through phishing emails originating from a compromised email account belonging to INDIC Electronics, an Indian electronics company with trusted business ties to the targeted UAE organizations. The emails, crafted to look like legitimate business correspondence, contained malicious attachments disguised as important business documents. Once opened, these attachments infected the systems with malware.
The primary goal of the attack was to deliver Sosano, a custom backdoor written in Go. The backdoor is designed for maintaining persistent access to compromised systems, facilitating further malicious actions such as remote code execution and data exfiltration.
Despite its core functionality being relatively small, Sosano itself is unusually large in size—approximately 12 MB. This bloat appears intentional, with the attacker embedding unnecessary libraries to make the malware more difficult to analyze and detect, the researchers noted.
The campaign also uses polyglot files—documents that are capable of being interpreted as multiple types of files depending on how they are parsed. The attackers employed polyglots in two PDF files embedded within a ZIP archive. One of these PDFs was appended with an HTML Application (HTA) file, while the other was paired with a second ZIP archive. The polyglot files exploited differences in how various software programs, such as file explorers, command-line tools, and browsers, interpret the documents. In addition, the ZIP archive contained an Excel (.XLS) file that was actually a Windows shortcut (LNK) disguised as a legitimate document, exploiting the double-extension vulnerability to evade detection.
The multi-stage attack began with an email containing a link to a fraudulent domain, which was designed to closely resemble INDIC Electronics’ legitimate website. When the target clicked on the link, they were directed to a ZIP archive with the malicious files containing the Sosano backdoor.
