Threat Actor Delivers Highly Targeted Multistage Polyglot Malware


In fall 2024, UNK_CraftyCamel leveraged a compromised Indian electronics company to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano.

Proofpoint uses the UNK_ designator to define clusters of activity that are still developing and have not been observed enough to receive a numerical TA designation. Delivery and infection chain analysis In late October 2024, UNK_CraftyCamel actors leveraged access to a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages. The emails contained URLs pointing to the actor-controlled domain indicelectronics[.]net, which mimics the legitimate INDIC electronics domain.

Read more…
Source: Proofpoint


Sign up for our Newsletter


Related:

  • Ransomware MongoLock Immediately Deletes Files, Formats Backup Drives

    January 8, 2019

    We have been following a new wave of MongoLock ransomware attacks that immediately deletes files upon infection instead of encrypting it, and further scans for other available folders and drives for file deletion. In the wild since December 2018, the ransomware demands a payment of 0.1 bitcoin from victims within 24 hours to retrieve the ...

  • Your Word is Your Bond: Trust and Ethics in Underground Forums

    January 7, 2019

    Although the general public thinks of underground forums as a place where scams and suspicious dealings are rampant, the opposite is usually true: the threat actors who inhabit these sites often consider their reputation a major asset. Many of the individuals and groups in underground forums go to great lengths to ensure that transactions go through ...

  • Spyware Disguises as Android Applications on Google Play

    January 3, 2019

    Trend Micro discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world. One of the applications we initially investigated ...

  • A Dozen Flaws in Popular Mac Clean-Up Software Allow Local Root Access

    January 3, 2019

    A passel of privilege-escalation vulnerabilities in MacPaw’s CleanMyMac X software would allow a local attacker to gain root access to an Apple machine in various ways. CleanMyMac X is a cleanup application for MacOS that optimizes the drives and frees up space by scanning for unused, redundant or unnecessary files and deleting them. No fewer than ...

  • Adobe Issues Emergency Patches for Two Critical Flaws in Acrobat and Reader

    January 3, 2019

    Adobe has issued an out-of-band security update to patch two critical vulnerabilities in the company’s Acrobat and Reader for both the Windows and macOS operating systems. Though the San Jose, California-based software company did not give details about the vulnerabilities, it did classify the security flaws as critical since they allow privilege escalation and arbitrary code execution in ...

  • Phishing template uses fake fonts to decode content and evade detection

    January 3, 2019

    Proofpoint researchers recently observed a phishing kit with peculiar encoding utilized in a credential harvesting scheme impersonating a major retail bank. While encoded source code and various obfuscation mechanisms have been well documented in phishing kits, this technique appears to be unique for the time being in its use of web fonts to implement the encoding. When the ...