Skip to content

Iranian hackers attack UAE aviation via compromised Indian firm’s email

  • by
  • 3 min read

Security researchers are raising alarms against suspected Iranian hackers running a highly targeted phishing campaign targeting less than five organisations in the UAE using a novel backdoor. The threat actors first accessed a compromised email account from an Indian firm with trusted business relationships with the aforementioned companies.

Researchers at cybersecurity firm Proofpoint discovered the campaign in October 2024. It’s currently being tracked under the moniker UNK_CraftCamel and targets companies specifically working in aviation and satellite communications. The compromised Indian firm was INDIC Electronics. Its email account was used to send phishing messages customised for individual targets to make them more believable.

Proofpoint’s report claims that the payload used in the campaign was a malicious ZIP file that included multiple polyglot files to hide the main malicious payload. These files eventually installed a custom backdoor called Sosano, coded in Golang. As far as Proofpoint’s analysis is concerned, the use of polyglot files to obfuscate the payload is a relatively uncommon technique for “espionage-motivated actors” and “speaks to the desire of the operator to remain undetected.”

Illustration: supimol kumying | shutterstock
Illustration: Supimol Kumying | Shutterstock

The emails contained URLs that pointed to fake domains impersonating INDIC Electronics and hosting a ZIP file consisting of one XLS and two PDFs. The XLS file, however, uses a double extension to evade detection and is instead a Windows shortcut link (LNK) file.

The two PDFs were polyglot files—files that behave differently depending on what program opens them. In this case, the PDF files would behave like HTML Applications (HTA) based on what program runs them.

This arrangement leads to an attack sequence that uses the LNK file to launch the Windows Command Prompt and runs the PDF/HTA files via the mshta.exe command. Once the HTA script runs, it unpacks a ZIP archive hidden in the other PDF to download and run the DLL backdoor.

The workmanship shown by UNK_CraftyCamel doesn’t match any other known threat actors. The researchers’ infrastructure analysis hints at possible connections with Iranian-aligned threat actors tracked by the firm’s partners. They’ve also identified similarities with “suspected Islamic Revolutionary Guard Corps (IRGC) aligned campaigns from TA451 and TA455,” two more popular threat actors from the region.

In the News: Data of 30K+ students and faculty of University of Mumbai exposed on dark web

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of https 3344700 1280

SSL.com patches abused certificate issue vulnerability

Photo: koshiro k/shutterstock. Com

OpenAI report claims its latest models hallucinate more

What is a hack? 9 different types of hackers you must know about

New RustoBot malware hijacks routers to inject commands

This is an image of wordpress featured 9924

Ad-fraud operation monetises piracy via WordPress plugins

Photo: koshiro k/shutterstock. Com

OpenAI’s o3 model scores lower than initially promised

  • by
  • AI, In News
This is an image of spyware on pc

Russian hosting provider abused for malware delivery

>