Suspected Iran-backed hackers target UAE with newly discovered 'Sosano' malware

A relatively unknown threat actor targeted several organizations in the United Arab Emirates, — including those involved in aviation, satellite communications and critical transportation infrastructure — with a newly discovered backdoor that researchers have dubbed Sosano.

In an espionage campaign that started in the fall, a group tracked as UNK_CraftyCamel used a compromised email account belonging to the Indian electronics company INDIC Electronics to send malicious email messages to their victims, according to U.S.-based cybersecurity firm Proofpoint.

The company suggests that the campaign is likely the work of an Iranian-aligned adversary, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC), Iran’s top military force.

“The targeted sectors are crucial for both economic stability and national security, making them valuable intelligence targets in the broader geopolitical landscape,” Proofpoint researcher Joshua Miller said in a comment to Recorded Future News. The UAE tends to align with Saudi Arabia, a rival of Iran.

Proofpoint said that tactics used by UNK_CraftyCamel are similar to those deployed by the IRGC's TA451 and TA455 hacker groups. Both of them have previously targeted aerospace-related organizations and used similar “business-to-business lures” in UAE-based attacks. However, Proofpoint considers UNK_CraftyCamel a distinct threat group.

Proofpoint found that the hackers directed their victims to a domain masquerading as the website of the Indian company, which was in a trusted business relationship with the targets. The domain hosted a ZIP archive containing executable files that installed the custom Sosano backdoor, which can download and execute a next-stage payload.

The attack was highly customized, with each target receiving personalized malicious messages, researchers said. Proofpoint hasn’t provided much detail about the affected organizations or the success rate of the attacks.

“This campaign is an example of threat actors leveraging trusted relationships to deliver customized and obfuscated malware to highly selective targets,” researchers said. By compromising suppliers or partners who regularly interact with their targets, attackers can bypass traditional detection methods and initiate supply chain compromises.

“It demonstrates the lengths to which state-aligned actors will go to evade detection and fulfill their intelligence collection mandates successfully,” Miller added.

Earlier in November, researchers discovered another espionage campaign in which suspected Iranian hackers impersonated recruiters on LinkedIn to target the aerospace industry. The campaign was attributed to TA455, likely a subgroup of the Iranian government cyberwarfare group Charming Kitten.

According to earlier research by Google-owned Mandiant, suspected Iranian hackers previously targeted the aerospace, aviation and defense industries in Israel, the United Arab Emirates and possibly Turkey, India, and Albania.