FOCUS MODE
EXTRACT IOC
Threat Research

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

Proofpoint
Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware
This article discusses a targeted email campaign by the threat cluster UNK_CraftyCamel, which targeted organizations in the UAE, particularly those involved in aviation and satellite communications. The attackers used sophisticated techniques, including polyglot files, to deliver a backdoor named Sosano, indicating advanced capabilities. Affected: Proofpoint customers, aviation organizations, satellite communications, transportation infrastructure, United Arab Emirates.

Keypoints :

  • Proofpoint identified a targeted email campaign against a few customers in the UAE.
  • The campaign involved custom lures for each target, leveraging a compromised business relationship.
  • Attackers used a sophisticated backdoor named Sosano with advanced obfuscation techniques.
  • Polyglot files were employed to hide the malware’s payload, making detection more challenging.
  • The email campaign utilized URLs resembling a legitimate electronics company domain.
  • The backdoor communicates with a command and control (C2) server.
  • There are indications of potential links to Iranian-aligned threat actors.
  • Organizations should train users to recognize suspicious emails from known contacts.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Malware establishes communication over HTTP/HTTPS with C2 server bokhoreshonline.com.
  • T1036.005 – Masquerading: Malicious attachments disguised as legitimate documents with misleading filenames (e.g., OrderList.xlsx.lnk).
  • T1203 – Exploitation for Client Execution: Use of double extension files to trick the user into executing malicious content.
  • T1105 – Ingress Tool Transfer: Transferring the backdoor via polyglot files included in ZIP archives.
  • T1055 – Process Injection: The Sosano DLL is loaded and executed using cmd.exe and mshta.exe.

Indicator of Compromise :

  • [Domain] indicelectronics[.]net
  • [IP Address] 46.30.190[.]96
  • [SHA256] 336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14 (OrderList.zip)
  • [SHA256] 394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3 (OrderList.xlsx.lnk)
  • [Domain] bokhoreshonline[.]com

Full Story: https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot

Views: 24

Tags: BROWSER, CRYPTO, PAYLOAD, PERSISTENCE, EMAIL, BACKDOOR, TOOL