Threat Actor Delivers Highly Targeted Multistage Polyglot Malware


In fall 2024, UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano.

Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation. Delivery and infection chain analysis In late October 2024, UNK_CraftyCamel actors leveraged access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages. The emails contained URLs pointing to the actor-controlled domain indicelectronics[.]net, which mimics the legitimate INDIC electronics domain.

Read more…
Source: Proofpoint


Sign up for our Newsletter


Related:

  • Latest Spam Campaigns from TA505 Now Using New Malware Tools Gelup and FlowerPippi

    July 4, 2019

    Since our last research on TA505, we have observed new activity from the group that involves campaigns targeting different countries over the last few weeks. We found them targeting countries in the Middle East such as United Arab Emirates and Saudi Arabia, as well as other countries such as India, Japan, Argentina, the Philippines, and South Korea. This ...

  • Sodin ransomware exploits Windows vulnerability and processor architecture

    July 3, 2019

    When Sodin (also known as Sodinokibi and REvil) appeared in the first half of 2019, it immediately caught our attention for distributing itself through an Oracle Weblogic vulnerability and carrying out attacks on MSP providers. In a detailed analysis, we discovered that it also exploits the CVE-2018-8453 vulnerability to elevate privileges in Windows (rare among ransomware), and uses legitimate processor ...

  • Making Intelligence Actionable: Cybersecurity Preparedness in the Credit Union Industry

    July 3, 2019

    As the threat landscape continues to evolve, organizations need to be increasingly proactive in their approach to cybersecurity. One industry that’s taken proactive measures toward cybersecurity preparedness is the credit union industry. Over the last couple of years, the National Credit Union Administration (NCUA) developed a tool called the Automated Cybersecurity Examination Tool (ACET) to help credit unions ...

  • US Cyber Command issues alert about hackers exploiting Outlook vulnerability

    July 2, 2019

    US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday. The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook ...

  • Phishing, ransomware are top cyberattacks on financial services firms

    July 1, 2019

    Phishing and ransomware attacks are the most reported types of cyberattacks on financial services firms, but in most cases the causes of outages were far more mundane. Financial services firms reported 819 cyber incidents to their watchdog, the Financial Conduct Authority (FCA), last year, a huge rise on the 69 incidents reported the year before. Retail banks were responsible ...

  • Island hopping: The latest security threat you should be aware of

    July 1, 2019

    While island hopping sounds like a great way to spend a holiday in Thailand or Greece, the term also refers to an advanced cyber attack technique. Though it’s not a new phenomenon, this type of attack increased in prevalence in 2018 and will likely become more and more common. The name ‘island hopping’ comes from a WWII ...