Ethical Hacking News
Aviation and satellite communication firms in the UAE are under threat from a new, highly advanced polyglot malware that evades traditional security tools. Researchers believe the campaign is linked to 'UNK_CraftyCamel' and targets these critical sectors with spear-phishing emails and sophisticated backdoors.
A new polyglot malware has emerged as a threat to aviation and satellite communication firms in the UAE.The malware, linked to 'UNK_CraftyCamel,' bypasses detection by traditional security tools using multiple file formats.The campaign begins with targeted spear-phishing emails that direct victims to download malicious files.The malware establishes a connection with its C2 server and awaits commands, including file operations and shell command execution.Defending against polyglot threats requires multifaceted approaches including email scanning, user education, and security software capable of detecting multiple file formats.
In a concerning development for global security, a new polyglot malware has emerged as a threat to aviation and satellite communication firms in the United Arab Emirates. This malicious software was discovered by Proofpoint researchers in October 2024 and is believed to be linked to a threat actor known as 'UNK_CraftyCamel.' The campaign, although small in scale, presents advanced and dangerous challenges for targeted companies.
Polyglot malware is a type of attack that leverages multiple file formats to evade security software. By structuring files as both valid MSI (Windows installer) and JAR (Java archive), attackers can bypass detection by traditional security tools, which often analyze files based on a single format. This technique allows malicious payloads to be stealthily delivered without being intercepted by security solutions.
The latest campaign observed by Proofpoint begins with targeted spear-phishing emails sent from a compromised Indian electronics company. These emails direct victims to download a ZIP archive called "OrderList.zip" that contains several polyglot files, including an LNK (Windows shortcut) file disguised as an XLS, and two PDF files ("about-indic.pdf" and "electronica-2024.pdf"). The PDFs are designed to evade detection by security software, with one containing HTA (HTML Application) code and the other a hidden ZIP archive.
When the LNK file is executed, cmd.exe launches mshta.exe, which in turn triggers the execution of an HTA script within the first PDF. This process leads to the launch of the second PDF file, which writes a URL file to the Windows Registry for persistence and then executes an XOR-encoded JPEG file that decodes a DLL payload ("yourdllfinal.dll"), resulting in the Sosano backdoor being established.
Sosano is described as a relatively simple Go-based payload with limited functionality, but it has been obfuscated to 12MB in size. Once activated, Sosano establishes a connection with its command-and-control (C2) server at "bokhoreshonline[.]com" and awaits commands, including file operations, shell command execution, and the deployment of additional payloads.
Defending against polyglot threats requires a multifaceted approach that includes email scanning, user education, and security software capable of detecting multiple file formats in a single file. Blocking dangerous file types such as LNKs, HTAs, and ZIPs at the email gateway is also prudent to prevent infections.
The emergence of this new polyglot malware highlights the evolving nature of cyber threats and the need for robust security measures to protect sensitive industries like aviation and satellite communication from sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Polyglot-Malware-Targets-Aviation-Satellite-Communication-Firms-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-polyglot-malware-hits-aviation-satellite-communication-firms/
Published: Tue Mar 4 10:31:06 2025 by llama3.2 3B Q4_K_M
