Description
A new and previously undocumented polyglot malware is being deployed against aviation, satellite communication, and critical transportation firms in the United Arab Emirates. The malware, named Sosano, is designed to establish persistence on infected systems and allow remote command execution. Discovered by Proofpoint in October 2024, this attack campaign is linked to a threat actor known as ‘UNK_CraftyCamel.’ While still limited in scope, the campaign is considered advanced and dangerous, posing a serious cyber-espionage threat.
Attack Details
The polyglot malware exploits multiple file formats within a single file, allowing different applications to interpret them in various ways. This method helps attackers bypass security software that typically scans files for a single known format.
In this attack, adversaries use a spear-phishing technique, sending highly targeted emails from a compromised Indian electronics company (INDIC Electronics). The emails contain malicious URLs directing victims to a spoofed domain (indicelectronics[.]net), where they are prompted to download a ZIP archive named “OrderList.zip.”
The ZIP archive includes:
- A Windows LNK (shortcut) file disguised as an Excel spreadsheet (XLS)
- Two polyglot PDF files (“about-indic.pdf” and “electronica-2024.pdf”)
- One PDF contains HTA (HTML Application) code
- The second PDF includes a hidden ZIP archive
When executed, the LNK file launches a chain of processes:
- The LNK file triggers cmd.exe, which launches mshta.exe to execute the HTA script embedded in the first PDF.
- The second PDF extracts a hidden ZIP archive, writing a URL file to the Windows Registry for persistence.
- A disguised XOR-encoded JPEG file decodes and executes the Sosano backdoor (yourdllfinal.dll).
Once activated, Sosano establishes a connection with its command-and-control (C2) server (bokhoreshonline[.]com) and awaits instructions. The malware allows attackers to:
- Perform file operations.
- Execute shell commands.
- Fetch and launch additional payloads.
Indicators of Compromise (IoCs)
- Malicious Domains:
- indicelectronics[.]net
- bokhoreshonline[.]com
- Malicious File Names:
- OrderList.zip
- about-indic.pdf
- electronica-2024.pdf
- yourdllfinal.dll
- Processes and Techniques:
- Execution of mshta.exe via cmd.exe
- Use of polyglot PDFs containing HTA scripts and hidden ZIP files
- URL persistence mechanism in the Windows Registry
Remediation
To defend against polyglot malware threats, organizations should implement the following measures:
- Email Security Measures:
- Deploy advanced email scanning tools that inspect multiple file formats within a single file.
- Block dangerous file types such as LNKs, HTAs, and ZIPs if they are not required in daily operations.
- Endpoint Protection:
- Use endpoint security solutions capable of detecting multi-format malicious files.
- Monitor system activity for unusual processes involving mshta.exe and cmd.exe executions.
- User Awareness and Training:
- Educate employees about spear-phishing tactics and suspicious email indicators.
- Encourage users to report unexpected file downloads and email attachments.
- Network Security:
- Block known malicious domains and IP addresses associated with this attack.
- Monitor outbound network traffic for unexpected C2 communications.
- Regular System Audits:
- Conduct frequent security assessments to identify and remove unauthorized registry modifications.
- Keep software, including security solutions, updated to prevent exploitation of vulnerabilities.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Emerging Polyglot Malware Targets Aviation and Satellite Communication Sectors
References