Proofpoint researchers have uncovered a highly targeted email campaign directed at fewer than five of their customers in the United Arab Emirates (UAE). These customers have a specific interest in aviation, satellite communications, and critical transportation infrastructure. The malicious emails originated from a compromised entity with a trusted business relationship with the targets, featuring lures tailored to each recipient. The researchers have identified this new threat cluster as UNK_CraftyCamel, leading to the discovery of a new backdoor named Sosano by Proofpoint. The backdoor employs various techniques to obfuscate the malware and its payload, indicating that the adversary has advanced development skills and is intent on protecting their payloads from easy analysis.
In the fall of 2024, UNK_CraftyCamel exploited a compromised Indian electronics company to target fewer than five organizations in the UAE with a malicious ZIP file. This file used multiple polyglot files to eventually install the custom Go backdoor, Sosano. The campaign’s use of polyglot files to conceal payload content is relatively rare among espionage-driven actors in Proofpoint’s telemetry, highlighting the operator’s intent to remain undetected.
“In late October 2024, UNK_CraftyCamel actors leveraged access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages,” Joshua Miller, Kyle Cucci, and the Proofpoint team wrote in a Tuesday blog post. “The emails contained URLs pointing to the actor-controlled domain indicelectronics[dot]net, which mimics the legitimate INDIC electronics domain. The malicious URLs, which downloaded a ZIP archive that, at first glance, contained an XLS file and two PDF files.”
However, upon further investigation, Proofpoint determined the XLS file was an LNK file using a double extension, and the PDF files were both polyglots; the first was a PDF file appended with an HTA, while the second PDF file had a ZIP archive appended.
“At this time, this cluster of activity designated as UNK_CraftyCamel does not overlap with any other identified cluster tracked by Proofpoint. The low volume of recipients, highly targeted nature of the lures, and numerous attempts to obfuscate the malware indicate an adversary with a clear mandate,” according to the Proofpoint blog. “Broader infrastructure analysis indicates possible connections with Iranian-aligned adversaries tracked by trusted partners. Proofpoint has identified multiple tactic, technique, and procedure (TTP) similarities with suspected Islamic Revolutionary Guard Corps (IRGC) aligned campaigns from TA451 and TA455. Both groups historically focused on targeting of aerospace aligned organizations.”
Furthermore, TA451 and UNK_CraftyCamel both used HTA files in highly targeted campaigns in the UAE, and TA455 and UNK_CraftyCamel share a preference for approaching targets with business-to-business sales offers, followed by targeting engineers within the same companies. Despite these similarities, Proofpoint assesses UNK_CraftyCamel to be a separate cluster of intrusion activity.
Based on target analysis, the operators of UNK_CraftyCamel have demonstrated a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure, with a focus on the UAE.
“Polyglot files are files that can be interpreted as multiple different formats, depending on how they are read,” the researchers noted. “They are created by carefully structuring data so that different parsers interpret the same file differently, often by exploiting format-specific quirks or overlapping headers. They are not commonly used in everyday software development but remain a niche, powerful tool in specialized technical domains.”
They added that to create a polyglot file, an actor must first identify compatible formats with flexible structures. “Next, they must align headers and footers to ensure they do not interfere with the other format’s structure. After that, they can use hex editors, Python, or even the command-line tool cat to construct the polyglot. Once created, it is important to test the file to understand how different programs—such as file explorers, command-line tools, and browsers—interpret it.”
The Sosano backdoor is a DLL written in Golang, and while it is a large executable file (12 megabytes), it contains only a small amount of malicious code consisting of a limited set of functionality. The code written by the developer creates a backdoor, supplemented by pre-built Golang package functions that ensure the developer doesn’t have to write new code to implement repeatable things like setting up HTTP communications or file read/write operations.
It is likely that the malware developer intentionally bloated the Sosano code with additional, unnecessary Golang libraries to obfuscate and complicate analysis. This executable imports Golang libraries that it does not use, such as code for parsing Multipurpose Internet Mail Extensions (MIME) types, support for a myriad of crypto and compression algorithms, and functions for extensive logging and debugging. Upon execution of the malware, a subset of the strings is run through a de-obfuscation function and loaded into memory.
Upon execution, the sample first sleeps for a random amount of time, using the current system time as a seed for the pseudo-random number generator. This sleep routine helps the malware evade detection in automated analysis sandboxes and endpoint defenses.
After the sleep routine executes, the malware attempts to connect to its C2. “If there is a successful connection established, the malware waits for further commands by periodically sending an HTTP GET request to the C2 server. If the C2 server responds with an instruction, Sosano will parse it and execute the associated command,” the post added.
In its conclusion, the Proofpoint post recognized that the Sosano campaign is an example of threat actors leveraging trusted relationships to deliver customized and obfuscated malware to highly selective targets. “Advanced threat actors will specifically target trusted third parties operating as upstream suppliers and frequently interact with their customers; this allows the actors to conduct a supply chain compromise, which lowers the likelihood of initial detection of email-based threats.”
In addition to detection opportunities described, organizations should train users to be suspicious of unexpected or unrecognized content originating from known contacts and identify common characteristics of malicious content such as domain impersonation using alternate top level domains.
In September 2023, Microsoft researchers shared insights into the Iranian nation-state hacker Peach Sandstorm (APT33, Refined Kitten) campaign that is targeting predominantly satellite, defense, and pharmaceutical sectors. These hackers are using sophisticated methods including password spray tactics and customized tools for data exfiltration, with Microsoft suggesting the campaign facilitates Iranian intelligence collection.
