- Proofpoint observes a sophisticated BEC attack in UAE
- The attackers used a compromised E -mail account to share polyglot files with their victims
- These files implement a hidden back door against aviation companies
Aviation companies in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business E -mail -comrus (BEC) attack that wants to implement advanced malware.
CyberSecurity researchers Proofpoint recently said that the observed customers in the country, “with a clear interest in aviation and satellite communication organizations along with critical transport infrastructure, were targeted.
The attacks started at the end of 2024 when a threat actor called UNK_CRAFTTYCAMEL compromised an Indian electronics company, as the aviation companies did over the past. They used this company’s E -Mail account to spread multiple polyglot files, and by using their partner’s E -mail account retained attackers a sense of legitimacy while trying to implement malware on typical BEC mode.
Unknown attackers
The infection chain they were looking for starting with polyglot files – these are files that can act as multiple formats at the same time, so they can avoid traditional detection mechanisms. While there was something unusual, polyglot files were observed in cyberattacks before, says Proofpoint, especially in the Emmenthaler Loader attacks.
Finally, these files lead to the installation of a custom GO-based back door called Sosano, designed to maintain access and perform other malicious commands externally. The attackers’ efforts to hide the attack also did not stop with polyglot files. The size of the back door was bloated through unused Golang libraries and its execution was delayed to avoid detection in sandbox environments.
Proofpoint said Sosano is connected to a remote server Bokhoreshonline[.]com to receive commands and potentially download additional payload.
While the researchers do not directly connect UNK_CRAFTTYCAMEL to well-known groups, they notice the similarities of Iran-adjusted threat actors TA451 and TA455, both associated with the Islamic Revolutionary Guard Corps (IRGC).
“Both groups focused historically on targeting space -designed organizations. In addition, both TA451 and UNK_CRAFTTYCAMEL used HTA files in highly targeted campaigns in UAE; And TA455 and UNK_CRAFTTYCAMEL share a preference to approach the goals of selling business to business, followed by targeting engineers within the same companies, ”the researchers said. “Despite these similarities, proofpoint unk_crafttycamel assesses as a separate cluster of intrusion activity.”
