Hackers Exploiting Business Relationships to Attack Arab Emirates Aviation Sector

A sophisticated cyber espionage campaign targeting the aviation and satellite communications sectors in the United Arab Emirates has been uncovered by Proofpoint researchers.

The operation, attributed to a threat cluster dubbed “UNK_CraftyCamel,” demonstrates advanced techniques, including leveraging trusted business relationships and deploying obfuscated malware, to infiltrate critical transportation infrastructure in the region.

Highly Targeted Approach

The campaign, which began in late 2024, utilized a compromised email account belonging to an Indian electronics company, INDIC Electronics, to send spear-phishing emails to fewer than five organizations in the UAE.

The emails contained malicious URLs mimicking legitimate domains (indicelectronics[.]net), leading recipients to download a ZIP archive embedded with polyglot files a rare and technically advanced method of malware delivery.

These polyglot files were designed to evade detection by exploiting format-specific quirks, enabling them to masquerade as legitimate PDF and XLS files while delivering their payload.

Proofpoint researchers identified that the ZIP archive contained a double-extension LNK file and two polyglot PDFs.

Upon execution, the LNK file triggered a chain of events involving cmd[.]exe and mshta[.]exe processes that ultimately installed a custom backdoor named “Sosano.”

This backdoor, written in Golang, showcased significant obfuscation efforts, including bloated code and unused libraries, complicating analysis for cybersecurity experts.

Sosano Backdoor Functionality

The Sosano backdoor operates as a DLL with limited yet potent capabilities.

Once executed, it connects to its command-and-control (C2) server (bokhoreshonline[.]com) and awaits instructions.

Commands include directory navigation, payload downloading, shell command execution, and directory deletion.

The malware also employs evasion tactics such as random sleep routines to bypass automated sandbox detection systems.

Although researchers were unable to retrieve the next-stage payload during their investigation, they noted additional embedded XOR keys that could be used for future iterations of the malware.

While UNK_CraftyCamel has no direct overlap with other known threat clusters, Proofpoint analysts observed similarities with Iranian-aligned groups such as TA451 and TA455.

Both clusters have historically targeted aerospace organizations and employed similar tactics like HTA file delivery and business-to-business sales lures.

Despite these parallels, UNK_CraftyCamel is assessed as an independent entity with a clear mandate focused on UAE aviation and satellite communications sectors.

This campaign highlights the growing trend of adversaries exploiting supply chain vulnerabilities by compromising trusted third-party entities.

Such tactics reduce initial detection rates and increase the likelihood of successful infiltration into high-value targets.

Organizations are advised to enhance employee training on identifying malicious content from known contacts and implement robust detection mechanisms for unusual file behaviors such as LNK files executing from recently unzipped directories or executables accessing JPG files from user directories.

Proofpoint’s findings underscore the importance of vigilance against increasingly sophisticated cyber threats targeting critical infrastructure sectors globally.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Keep your files stored safely and securely with the SanDisk 2TB Extreme Portable SSD. With over 69,505 ratings and an impressive 4.6 out of 5 stars, this product has been purchased over 8K+ times in the past month. At only $129.99, this Amazon’s Choice product is a must-have for secure file storage.

Help keep private content private with the included password protection featuring 256-bit AES hardware encryption. Order now for just $129.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!