Ethical Hacking News
A sophisticated phishing campaign targeting fewer than five entities in the United Arab Emirates (U.A.E.) has been uncovered by enterprise security firm Proofpoint, specifically targeting aviation and satellite communications organizations. The attack, dubbed UNK_CraftyCamel, leveraged a compromised email account belonging to an Indian electronics company to send targeted phishing messages. This low-volume, highly-targeted campaign highlights the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully.
A sophisticated phishing campaign targeting aviation and satellite communications organizations in U.A.E. has been detected by Proofpoint. The attack used a malicious backdoor called Sosano, which was linked to an Iranian-aligned adversary. The attackers leveraged multiple obfuscation techniques and a trusted third-party compromise to target critical sectors in the U.A.E. The phishing campaign had limited functionality but demonstrated advanced tradecraft and could have significant consequences if not detected and mitigated.
Threat hunters have identified a sophisticated phishing campaign that targeted fewer than five entities in the United Arab Emirates (U.A.E.) with a malicious backdoor dubbed Sosano, specifically targeting aviation and satellite communications organizations. The attack was discovered by enterprise security firm Proofpoint, which detected it in late October 2024 as part of an emerging cluster dubbed UNK_CraftyCamel.
According to Proofpoint, the adversary took advantage of its access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send phishing messages. The entity was said to have been in a trusted business relationship with all the targets, with the lures tailored to each of them. This low-volume, highly-targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target critical sectors in the U.A.E.
The attack sequence analyzed by Proofpoint entails using a Windows shortcut (LNK) file to launch cmd.exe and then using mshta.exe to run a PDF/HTA polyglot file, leading to the execution of an HTA script that unpacks the contents of a ZIP archive present within the second PDF. One of the files in the second PDF is responsible for loading a binary that looks for an image file XORed with the string "234567890abcdef" to decode and run a DLL backdoor called Sosano.
Written in Golang, the implant carries limited functionality to establish contact with a command-and-control (C2) server and await further commands. The tradecraft demonstrated by UNK_CraftyCamel does not overlap with any other known threat actor or group. Proofpoint noted that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC).
The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape. This attack demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully.
In an interview with The Hacker News, Joshua Miller, APT Staff Threat Researcher at Proofpoint, stated that this low-volume, highly-targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target aviation, satellite communications, and critical transportation infrastructure in the U.A.E. This attack highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of emerging threats.
The findings of this attack are also noteworthy because they underscore the need for organizations to be aware of their digital footprints and to take steps to protect themselves against targeted phishing attacks. The use of compromised email accounts by adversaries to target trusted business relationships is a tactic that should not be underestimated, as it can provide an unprecedented level of access to sensitive information.
As the threat landscape continues to evolve, it is essential for organizations to stay informed about emerging threats and to take proactive steps to protect themselves against cyber attacks. The case of UNK_CraftyCamel serves as a reminder that even low-volume, highly-targeted phishing campaigns can have significant consequences if not detected and mitigated in a timely manner.
In conclusion, the attack uncovered by Proofpoint highlights the evolving nature of cyber threats and the importance of staying vigilant in the face of emerging threats. It also underscores the need for organizations to be aware of their digital footprints and to take steps to protect themselves against targeted phishing attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Cyber-Attack-Uncovered-Iranian-Hackers-Target-UAE-Aviation-Sector-Using-Compromised-Indian-Firms-Email-ehn.shtml
https://thehackernews.com/2025/03/suspected-iranian-hackers-used.html
Published: Tue Mar 4 04:55:25 2025 by llama3.2 3B Q4_K_M
