Threat Actor Delivers Highly Targeted Multistage Polyglot Malware


In fall 2024, UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano.

Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation. Delivery and infection chain analysis In late October 2024, UNK_CraftyCamel actors leveraged access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages. The emails contained URLs pointing to the actor-controlled domain indicelectronics[.]net, which mimics the legitimate INDIC electronics domain.

Read more…
Source: Proofpoint


Sign up for our Newsletter


Related:

  • PoetRAT Trojan targets energy sector using coronavirus lures

    April 17, 2020

    Government and energy sectors are being targeted in a new campaign that weaponizes the coronavirus outbreak. On Thursday, Cisco Talos researchers Warren Mercer, Paul Rascagneres and Vitor Ventura published an analysis of a new campaign that deploys PoetRAT, a previously-undiscovered Remote Access Trojan (RAT) striking both the Azerbaijan government and utility companies. According to the team, the malware attacks supervisory control ...

  • Gamaredon APT Group Use Covid-19 Lure in Campaigns

    April 17, 2020

    Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally known for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities. In March, we came across an email with a malware attachment that used the ...

  • Financial Cyberthreats in 2019

    April 16, 2020

    Financial cyberthreats are malicious programs that target users of services such as online banking, e-money, and cryptocurrency, or that attempt to gain access to financial organizations and their infrastructure. These threats are usually accompanied by spam and phishing activities, with malicious users creating fake financial-themed pages and emails to steal victims’ credentials. In order to study ...

  • RagnarLocker ransomware hits EDP energy giant, asks for €10M

    April 14, 2020

    Attackers using the Ragnar Locker ransomware have encrypted the systems of Portuguese multinational energy giant Energias de Portugal (EDP) and are now asking for a 1580 BTC ransom ($10.9M or €9.9M). EDP Group is one of the largest European operators in the energy sector (gas and electricity) and the world’s 4th largest producer of wind energy. The company is present ...

  • Malicious Attackers Target Government and Medical Organizations With COVID-19 Themed Phishing Campaigns

    April 14, 2020

    Despite prior reporting by various sources indicating that some cyber threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks. While the various COVID-19 themed phishing campaigns observed by Unit 42 are numerous, this blog ...

  • Threat Spotlight: Gootkit Banking Trojan

    April 14, 2020

    Gootkit is a sophisticated banking Trojan which can perform various malicious activities such as: web injection, taking screenshots, video recording, email parsing, and so on. Gootkit emerged during the summer of 2014 but is still active, making it a viable threat to financial institutions to this day. BlackBerry most recently observed a Gootkit campaign via AZORult infostealer ...