July 1, 2025
Proactive Defense: The Importance of Incident Response Planning in Cybersecurity
Zoho ADSelfService Plus Flaw Allows Attackers to Gain Unauthorized Access
March 5, 2025Multiple NVIDIA Hopper HGX Vulnerabilities
March 5, 2025Zoho ADSelfService Plus Flaw Allows Attackers to Gain Unauthorized Access
March 5, 2025Multiple NVIDIA Hopper HGX Vulnerabilities
March 5, 2025
Severity
High
Analysis Summary
A new highly targeted phishing campaign, tracked as UNK_CraftyCamel, has been identified targeting fewer than five organizations in the United Arab Emirates' aviation and satellite communications sectors.
As discovered by Researcher, in late October 2024, the attack leveraged a compromised email account from the Indian electronics company INDIC Electronics, which had a trusted business relationship with the victims. The attackers sent phishing emails containing links to a fake domain, "indicelectronics[.]net," which hosted a malicious ZIP archive. This archive included an XLS file disguised as an Excel document and two polyglot PDF files that contained embedded malicious scripts designed to execute the attack.
The attack chain involved multiple obfuscation techniques, including the use of an LNK file to launch cmd.exe and mshta.exe, which executed an embedded HTA script. This script extracted the ZIP archive from one of the polyglot PDFs, ultimately leading to the execution of a DLL backdoor named Sosano. The Sosano backdoor, written in Golang, has a limited but effective set of capabilities, such as retrieving the current directory, enumerating files, downloading additional payloads, executing shell commands, and deleting directories. The attackers relied on an XOR-based decryption mechanism using the key "234567890abcdef" to decode and execute the malicious DLL.
Notably, the campaign demonstrates a sophisticated approach to evading detection by using trusted third-party access, polyglot files, and multiple layers of obfuscation. The attack sequence manipulated different file parsing behaviors across various applications, making it harder to detect through conventional security measures. The targeted nature of this campaign suggests that the threat actor behind it had a clear objective and advanced tradecraft, but there are no direct overlaps with any previously known cyber-espionage groups. However, Researchers assess with moderate confidence that the campaign may be linked to an Iranian-aligned actor, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC).
The attack's focus on critical infrastructure sectors, including aviation, satellite communications, and transportation, aligns with broader geopolitical intelligence-gathering objectives. The use of low-volume, highly targeted phishing combined with sophisticated obfuscation techniques underscores the level of effort put into remaining undetected while successfully compromising high-value targets. This campaign serves as a stark reminder of the evolving threat landscape and the need for organizations to strengthen their defenses against increasingly advanced state-sponsored cyber threats.
Impact
- Sensitive Data Theft
- Financial Loss
- Reputational Damage
Indicators of Compromise
Domain Name
indicelectronics.net
bokhoreshonline.com
MD5
fbf3c44fdf1d635d1142ae0ec32fe887
19dabeca5fe5f5f35382f8e19c0d4403
35c29b31c3564e7d7cae9901299d41dd
6bd3be2a2d5d01ffa2c061ed63ac290f
SHA-256
336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14
394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3
e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626
0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327
SHA1
304a9849894df9e6b3d381f2d24bcf2ef5b497fb
f336903e65598cdc4908ee4ac0ff106c8c7fb027
cf136da651dfb9104dcba68460ff57288b8c2ff9
f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Implement email authentication protocols (DMARC, DKIM, SPF) to prevent email spoofing.
- Use AI-powered phishing detection tools to identify malicious emails before they reach employees.
- Conduct regular phishing awareness training for employees, emphasizing the risks of double-extension files (e.g., .xls.lnk) and trusted third-party compromise.
- Deploy Next-Generation Antivirus (NGAV) and Endpoint Detection & Response (EDR) to detect obfuscated threats.
- Block known malicious domains (e.g., indicelectronics[.]net) at the network level (firewall, DNS filtering).
- Monitor mshta.exe, cmd.exe, and PowerShell execution for suspicious activity.
- Configure email and web security gateways to scan for polyglot files and unusual file structures.
- Use sandboxing solutions to analyze attachments before delivery.
- Deploy behavioral analysis tools to detect XOR-based decryption mechanisms like the one used for Sosano backdoor.
- Verify and audit third-party vendors for cybersecurity best practices.
- Implement Zero Trust policies, ensuring that even trusted partners have limited access based on necessity.
- Require multi-factor authentication (MFA) for all vendor-related communications and accounts.
- Conduct regular threat hunting for indicators of compromise (IOCs) related to UNK_CraftyCamel and Sosano.
- Establish an incident response plan to quickly detect, contain, and eradicate infections.
- Share intelligence on Iranian APT tactics and new malware strains within cybersecurity communities.