UNK_CraftyCamel: A Targeted Polyglot Malware Campaign Exploiting Trusted Business Relationships

Published Date: March 5, 2025
Category: ShadowOpsIntel
Share:

Proofpoint researchers have identified a highly targeted spear-phishing campaign attributed to a new threat cluster, UNK_CraftyCamel. This campaign underscores the growing trend of threat actors exploiting trusted business relationships to gain access to high-value targets. The final payload is a backdoor named Sosano that uses polyglot files to avoid detection. The advanced use of polyglot malware, XOR-based encryption, and obfuscation techniques indicates a highly capable adversary with a well-defined operational goal.

Severity Level: High

Threat Details

1. Initial Access:

  • The attackers compromised an email account of an Indian electronics company (INDIC Electronics).
  • Used this trusted entity to send spear-phishing emails to UAE-based targets.
  • The email contained a malicious ZIP file hosted on a spoofed domain (indicelectronics[.]net).

2. Malware Delivery & Execution:

  • The ZIP file contained:
    – A masqueraded XLS file (actually an LNK shortcut).
    – Two polyglot PDF files (one PDF/HTA, one PDF/ZIP).
  • The LNK file executed cmd.exe, which triggered mshta.exe to run the HTA script inside the polyglot PDF.
  • The script extracted and executed Hyper-Info.exe, which retrieved an XOR-encrypted file (sosano.jpg).
  • After decryption, the final payload (Sosano backdoor DLL) was loaded into memory.

3. Backdoor Capabilities (Sosano Malware):

  • Developed in Golang, designed to evade analysis with bloating and obfuscation.
  • Communicates with C2 server (bokhoreshonline[.]com, 104.238.57[.]61) via HTTP requests.
  • Supports multiple commands for directory listing, file execution, downloading additional payloads, and removing directories.

4. Targeting & Attribution:

  • Highly selective targeting, focusing on aviation, satellite communications, and transportation infrastructure in the UAE.
  • While not directly attributed to a known APT group, tactical overlaps exist with Iran-aligned threat actors (TA451, TA455, IRGC-affiliated groups).
  • Use of HTA-based attacks, spear-phishing, and supply chain compromise tactics suggests an espionage motive.

Recommendations

  1. Enforce DMARC, SPF, and DKIM to prevent email spoofing.
  2. Block ZIP, LNK, and HTA files from untrusted sources.
  3. Block or limit execution of mshta.exe, cmd.exe, and wscript.exe.
  4. Restrict LNK files from launching PowerShell or command-line scripts.
  5. Monitor unusual DLL execution from directories like C:\Users\AppData\Local\Temp.
  6. Monitor for execution of LNK files from recently unzipped directories, URL file in the Reg runkey, URL file launching any file besides a web browser, and Executable file accessing a JPG file from a user directory.
  7. Monitor for execution of cmd.exe → mshta.exe within short timeframes.
  8. Block the IOCs at their respective controls.
    https://www.virustotal.com/gui/collection/38e45c7d61553bb17f01abc5b1036e37b82b3668c14b8e75b3ec0178d3452aee/iocs

Source:

  • https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/
  • https://www.proofpoint.com/us/blog/threat-insight/call-it-what-you-want-threat-actor-delivers-highly-targeted-multistage-polyglot

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.