Threat Actor Delivers Highly Targeted Multistage Polyglot Malware


In fall 2024, UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano.

Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation. Delivery and infection chain analysis In late October 2024, UNK_CraftyCamel actors leveraged access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages. The emails contained URLs pointing to the actor-controlled domain indicelectronics[.]net, which mimics the legitimate INDIC electronics domain.

Read more…
Source: Proofpoint


Sign up for our Newsletter


Related:

  • Is agriculture at risk from cyber crime?

    November 18, 2019

    Most media coverage about cyber-crime shares horrendous examples of how individuals or families’ lives have been ruined by ruthless scams. This is no different in the agriculture sector. Cyber crime has become a major industry – and the cyber security industry has grown rapidly to tackle the scale of the problem. The Office of National Statistics estimates ...

  • New WhatsApp Bug Could Have Let Hackers Secretly Install Spyware On Your Devices

    November 16, 2019

    The vulnerability affects both consumers as well as enterprise apps of WhatsApp for all major platforms, including Google Android, Apple iOS, and Microsoft Windows. According to an advisory published by Facebook, which owns WhatsApp, the list of affected app versions are as follows: Android versions before 2.19.274 iOS versions before 2.19.100 Enterprise Client versions before 2.25.3 Windows Phone versions before and ...

  • Stealthy Malware Flies Under AV Radar with Advanced Obfuscation

    November 15, 2019

    Researchers warn hackers are putting a new spin on old injection techniques and successfully end-running endpoint protection. They are tracking a campaign, that kicked off in January, that is still going strong exploiting weaknesses in web browsers. The objective is to hide in the background of infected systems in order to steal user passwords, track ...

  • APT33 Mounts Focused, Highly Targeted Botnet Attacks Against U.S. Victims

    November 14, 2019

    The Iran-linked, espionage-focused advanced threat group known as APT33 has been spotted using more than a dozen obfuscated botnets to carry out narrowly targeted attacks against government and academic targets in the Middle East, the U.S. and Asia. Each botnet, linked to its own command-and-control (C2) server, comprises a small group of up to a dozen ...

  • DDoS Attacks That Employ TCP Amplification Cause Network Congestion, Secondary Outages

    November 14, 2019

    Over the past month, threat actors have been using a relatively non-conventional approach to mount a flurry of distributed denial-of-service (DDoS) attacks: through TCP amplification. Security company Radware shared its observations on multiple campaigns involving Transmission Control Protocol (TCP) reflection attacks, specifically SYN-ACK reflection attacks, against companies across the world. The scope of the impact was ...

  • McAfee antivirus software impacted by code execution vulnerability

    November 12, 2019

    Researchers have revealed a serious code execution vulnerability impacting all editions of McAfee software. On Tuesday, the SafeBreach Labs cybersecurity team said that CVE-2019-3648 can be used to bypass McAfee’s self-defense mechanisms, potentially leading to further attacks on a compromised system. The vulnerability exists due to a failure to validate whether or not loading DLLs have been signed, and a path ...