- ProofPoint observes a sophisticated BEC attack in the EAU
- The attackers used a compromised email account to share Polyglot files with their victims
- These files implement a hidden back door against aviation companies
Aviation companies in the United Arab Emirates (EAU) were recently attacked by a highly sophisticated commercial email commitment (BEC) that seeks to deploy advanced malware.
Cybersecurity researchers, Testbeppoint, recently said that they observed customers in the country, “with a different interest in satellite aviation and communications organizations, together with the critical infrastructure of transport,” being attacked.
The attacks began at the end of 2024, when a threat actor called UNK_Craftycamel committed an Indian electronics company with which aviation signatures did business in the past. They used the email account of that company to disseminate multiple polyglot files, and when using their partner’s email account, the attackers retained a sense of legitimacy, while trying to implement malware in a typical BEC.
Unknown attackers
The infection chain they were looking for begins with polyglot files: these are files that can function as multiple formats simultaneously, allowing them to evade traditional detection mechanisms. While before, polyglot files were observed in cyber attack, says Proofpoint, especially in the attacks of emmenthaler loaders.
Finally, these files lead to the installation of a personalized Go -based rear door called Sosano, designed to maintain access and execute other malicious commands remotely. The effort of the attackers to hide the attack was not stopped with the Polyglot files. The back door size swelled through unused Goang libraries, and its execution was delayed, to avoid detection in sandbox environments.
ProofPoint said Sosano connected to a remote Bokhoreshonline server[.]com to receive commands and potentially download more useful charges.
While researchers do not directly link UNK_Craftycamel to known groups, they notice similarities with the threat actors aligned with Iran Ta451 and TA455, both associated with the body of the Islamic Revolutionary Guard (IRGC).
“Both groups historically focused on attacking aligned aerospace organizations. In addition, TA451 and UNK_Craftycamel used HTA files in highly specific campaigns in the EAU; and TA455 and UNK_Craftycamel share a preference for approaching the objectives with company sales offers, followed by engineers directed within the same companies, “said the researchers.” Despite these similarities, Proofpoint evaluates UNK_Craftycamel as a separate group of intrusion activity. “
