Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware

SUMMARY :

A highly targeted email-based campaign was identified, focusing on aviation and satellite communications organizations in the United Arab Emirates. The campaign utilized a compromised entity to send customized malicious messages, leading to the discovery of a new backdoor named Sosano. This malware employed various obfuscation techniques, including polyglot files, indicating a sophisticated adversary. The infection chain involved multiple stages, using LNK files, HTA scripts, and XOR encoding. The Sosano backdoor, written in Golang, contains limited functionality but is heavily obfuscated. The threat actor, tracked as UNK_CraftyCamel, shows possible connections to Iranian-aligned adversaries but is considered a separate entity. This campaign highlights the use of trusted relationships to deliver customized, obfuscated malware to selective targets.

OPENCTI LABELS :

apt,backdoor,supply-chain,targeted,satellite,sosano


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware