A dangerous new cyberattack is affecting aviation, satellite communication, and transportation companies in the United Arab Emirates. Hackers are using a tricky type of malware called polyglot malware to infect computers. This malware installs a backdoor called Sosano, which lets attackers take control of the affected system and execute commands remotely.  

Who is Behind This Attack?  

Cybersecurity experts at Proofpoint discovered this attack in October 2024. They have linked it to a hacker group named UNK_CraftyCamel. Although the campaign is currently small, it is highly advanced and poses a serious risk to businesses.  

Researchers also noticed similarities between this attack and previous cyber operations carried out by Iranian-linked hacking groups TA451 and TA455. However, this particular campaign seems to focus more on stealing information, which makes it unique.  

What is Polyglot Malware?  

Polyglot malware is a sneaky kind of cyber threat that can be interpreted in different ways by different programs. This means a single file can look like one thing to one program and something else to another.  

For example, a file might act as an MSI installer on Windows but behave like a JAR file for Java. Most security software checks files based on one format, so they fail to detect the hidden malicious parts. This helps hackers bypass security systems and deliver harmful programs unnoticed.  

In this case, the UNK_CraftyCamel hackers are using this trick to send malware while avoiding detection.  

How the Attack Works  

The hackers start their attack with phishing emails, which are fake messages designed to trick people. These emails appear to come from a real Indian electronics company, INDIC Electronics. Inside the email, there is a malicious link that takes victims to a fake website (indicelectronics[.]net), where they are tricked into downloading a ZIP file named "OrderList.zip."  

This ZIP file contains:  

1. A shortcut file (LNK) that looks like an Excel document.  

2. Two PDF files called about-indic.pdf and electronica-2024.pdf.  

But these PDF files are not what they seem—they are polyglot files containing hidden malware:  

1. The first PDF hides a script (HTA code) that can execute harmful commands.  

2. The second PDF contains a hidden ZIP archive, which allows the malware to stay undetected.  

When the victim opens the shortcut file (LNK), it runs a command in the background that triggers the hidden script inside the first PDF. This leads to the execution of the second PDF, which then:  

1. Modifies the Windows Registry to maintain access even after a restart.  

2. Extracts and runs an encoded image file (JPEG) that secretly contains malware.  

3. Decodes and activates a DLL file ("yourdllfinal.dll"), which is actually the Sosano backdoor.  

Once Sosano is activated, it connects to a remote server (bokhoreshonline[.]com). This allows hackers to send commands, steal data, execute programs, and install more malware.  

How to Stay Safe  

To prevent such cyberattacks, companies should take multiple security measures, such as:  

1. Blocking Suspicious Emails: Use email security tools to detect and remove harmful links and attachments before they reach employees.  

2. Employee Awareness Training: Teach workers to identify phishing emails and avoid clicking on unknown links or opening suspicious files.  

3. Restricting Dangerous Files: If file types like LNK, HTA, and ZIP are not required for daily work, companies should block them in emails to reduce risks.  

4. Advanced Malware Detection: Security software should be able to scan files in multiple ways, ensuring that hidden malware is detected.  

Cybercriminals constantly develop new ways to avoid security measures. Companies in aviation, satellite communications, and critical infrastructure should stay alert, update their cybersecurity strategies, and use advanced security tools to protect their systems.