Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector - Related to synology, firm's, used, indian, cisco

Suspected Iranian Hackers Used Compromised Indian Firm's Email to Target U.A.E. Aviation Sector

Threat hunters are calling attention to a new highly-targeted phishing campaign that singled out "fewer than five" entities in the United Arab Emirates ([website] to deliver a previously undocumented Golang backdoor dubbed Sosano.

The malicious activity was specifically directed against aviation and satellite communications organizations, , which detected it in late October 2024. The enterprise security firm is tracking the emerging cluster under the moniker UNK_CraftyCamel.

A noteworthy aspect of the attack chain is the fact that the adversary took advantage of its access to a compromised email account belonging to the Indian electronics enterprise INDIC Electronics to send phishing messages. The entity is expressed to have been in a trusted business relationship with all the targets, with the lures tailored to each of them.

"UNK_CraftyCamel leveraged a compromised Indian electronics business to target fewer than five organizations in the United Arab Emirates with a malicious ZIP file that leveraged multiple polyglot files to eventually install a custom Go backdoor dubbed Sosano," Proofpoint mentioned in a findings shared with The Hacker News.

The emails contained URLs that pointed to a bogus domain masquerading as the Indian firm ("indicelectronics[.]net"), hosting a ZIP archive that included an XLS file and two PDF files.

But in reality, the XLS file was a Windows shortcut (LNK) using a double extension to pass off as a Microsoft Excel document. The two PDF files, on the other hand, turned out to be polyglots: one that was appended with an HTML Application (HTA) file and the other with a ZIP archive appended to it.

This also meant that both PDF files could be interpreted as two different valid formats depending on how they are parsed using programs like file explorers, command-line tools, and browsers.

The attack sequence analyzed by Proofpoint entails using the LNK file to launch [website] and then using [website] to run the PDF/HTA polyglot file, leading to the execution of the HTA script that, in turn, contains instructions to unpack the contents of the ZIP archive present within the second PDF.

One of the files in the second PDF is an internet shortcut (URL) file that's responsible for loading a binary, which subsequently looks for an image file that's ultimately XORed with the string "234567890abcdef" to decode and run the DLL backdoor called Sosano.

Written in Golang, the implant carries a limited functionality to establish contact with a command-and-control (C2) server and await further commands -.

sosano , to get current directory or change working directory.

, to get current directory or change working directory yangom , to enumerate the contents of the current directory.

, to enumerate the contents of the current directory monday , to download and launch an unknown next-stage payload.

, to download and launch an unknown next-stage payload raian , to delete or remove a directory.

, to delete or remove a directory lunna, to execute a shell command.

Proofpoint noted that the tradecraft demonstrated by UNK_CraftyCamel does not overlap with any other known threat actor or group.

"Our analysis indicates that this campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC)," Joshua Miller, APT Staff Threat Researcher at Proofpoint, told The Hacker News. "The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape."

"This low volume, highly targeted phishing campaign leveraged multiple obfuscation techniques along with a trusted third-party compromise to target aviation, satellite communications, and critical transportation infrastructure in the [website] It demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully."

Cybersecurity researchers are alerting of an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules that are designed to depl......

Broadcom has released security updates to address three actively exploited security flaws in VMware ESXi, Workstation, and Fusion products that could ......

Google hat eine neue Sicherheitsfunktion für Android-Geräte angekündigt, die Betrugsversuche per künstlicher Intelligenz (KI) erkennen können soll. Da......

New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems

Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, .

"Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software," security researcher Alex Armstrong expressed in a technical write-up of the malware.

Auto-color is so named based on the file name the initial payload renames itself post installation. It's currently not known how it reaches its targets, but what's known is that it requires the victim to explicitly run it on their Linux machine.

A notable aspect of the malware is the arsenal of tricks it employs to evade detection. This includes using seemingly-innocuous file names like door or egg, concealing command-and-control (C2) connections, and leveraging proprietary encryption algorithms for masking communication and configuration information.

Once launched with root privileges, it proceeds to install a malicious library implant named "[website]," copies and renames itself to /var/log/cross/auto-color, and makes modifications to "/etc/ld.preload" for establishing persistence on the host.

"If the current user lacks root privileges, the malware will not proceed with the installation of the evasive library implant on the system," Armstrong mentioned. "It will proceed to do as much as possible in its later phases without this library."

The library implant is equipped to passively hook functions used in libc to intercept the open() system call, which it uses to hide C2 communications by modifying "/proc/net/tcp," a file that contains information on all active network connections. A similar technique was adopted by another Linux malware called Symbiote.

It also prevents uninstallation of the malware by protecting the "/etc/ld.preload" against further modification or removal.

Auto-color then proceeds to contact a C2 server, granting the operator the ability to spawn a reverse shell, gather system information, create or modify files, run programs, use the machine as a proxy for communication between a remote IP address and a specific target IP address, and even uninstall itself by means of a kill switch.

"Upon execution, the malware attempts to receive remote instructions from a command server that can create reverse shell backdoors on the victim's system," Armstrong noted. "The threat actors separately compile and encrypt each command server IP using a proprietary algorithm."

A new campaign is targeting companies in Taiwan with malware known as Winos [website] as part of phishing emails masquerading as the country's National Taxa......

The [website] Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday placed two security flaws impacting Microsoft Partner Center and Synacor Z......

Google has presented the rollout of artificial intelligence (AI)-powered scam detection attributes to secure Android device consumers and their personal inf......

PolarEdge Botnet Exploits Cisco and Other Flaws to Hijack ASUS, QNAP, and Synology Devices

A new malware campaign has been observed targeting edge devices from Cisco, ASUS, QNAP, and Synology to rope them into a botnet named PolarEdge since at least the end of 2023.

French cybersecurity organization Sekoia expressed it observed the unknown threat actors deploying a backdoor by leveraging CVE-2023-20118 (CVSS score: [website], a critical security flaw impacting Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers that could result in arbitrary command execution on susceptible devices.

The vulnerability remains unpatched due to the routers reaching end-of-life (EoL) status. As workarounds, Cisco recommended in early 2023 that the flaw can be mitigated by disabling remote management and blocking access to ports 443 and 60443.

In the attack registered against Sekoia's honeypots, the vulnerability is presented to have been used to deliver a previously undocumented implant, a TLS backdoor that incorporates the ability to listen for incoming client connections and execute commands.

The backdoor is launched by means of a shell script called "q" that's retrieved via FTP and run following a successful exploitation of the vulnerability. It comes with capabilities to -.

Download a malicious payload named "[website]" from [website][.]227.

Execute a binary named "cipher_log" extracted from the archive.

Establish persistence by modifying a file named "/etc/flash/etc/[website]" to run the "cipher_log" binary repeatedly.

Codenamed PolarEdge, the malware enters into an infinite loop, establishing a TLS session as well as spawning a child process to manage client requests and execute commands using exec_command.

"The binary informs the C2 server that it has successfully infected a new device," Sekoia researchers Jeremy Scion and Felix Aimé introduced. "The malware transmits this information to the reporting server, enabling the attacker to determine which device was infected through the IP address/port pairing."

Further analysis has uncovered similar PolarEdge payloads being used to target ASUS, QNAP, and Synology devices. All the artifacts were uploaded to VirusTotal by customers located in Taiwan. The payloads are distributed via FTP using the IP address [website][.]227, which belongs to Huawei Cloud.

In all, the botnet is estimated to have compromised 2,017 unique IP addresses around the world, with most of the infections detected in the United States, Taiwan, Russia, India, Brazil, Australia, and Argentina.

"The purpose of this botnet has not yet been determined," the researchers noted. "An objective of PolarEdge could be to control compromised edge devices, transforming them into Operational Relay Boxes for launching offensive cyber attacks."

"The botnet exploits multiple vulnerabilities across different types of equipment, highlighting its ability to target various systems. The complexity of the payloads further underscores the sophistication of the operation, suggesting that it is being conducted by skilled operators. This indicates that PolarEdge is a well-coordinated and substantial cyber threat."

The disclosure comes as SecurityScorecard revealed that a massive botnet comprising over 130,000 infected devices is being weaponized to conduct large-scale password-spraying attacks against Microsoft 365 (M365) accounts by exploiting non-interactive sign-ins with Basic Authentication.

Non-interactive sign-ins are typically used for service-to-service authentication and legacy protocols like POP, IMAP, and SMTP. They do not trigger multi-factor authentication (MFA) in many configurations. Basic Authentication, on the other hand, allows credentials to be transmitted in plaintext format.

The activity, likely the work of a Chinese-affiliated group owing to the use of infrastructure tied to CDS Global Cloud and UCLOUD HK, employs stolen credentials from infostealer logs across a wide range of M365 accounts to obtain unauthorized access and get hold of sensitive data.

"This technique bypasses modern login protections and evades MFA enforcement, creating a critical blind spot for security teams," the organization expressed. "Attackers leverage stolen credentials from infostealer logs to systematically target accounts at scale."

"These attacks are recorded in non-interactive sign-in logs, which are often overlooked by security teams. Attackers exploit this gap to conduct high-volume password spraying attempts undetected. This tactic has been observed across multiple M365 tenants globally, indicating a widespread and ongoing threat."

Twitter is blasted for security and privacy lapses by the business’s former head of security who alleges the social media giant’s actions amount to a n......

The China-linked threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics......

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent t......