Proofpoint reports that a threat actor has used the tactic against critical infrastructure firms in the UAE, warns CISOs to watch for it elsewhere.
A threat actor is using polyglot files to conceal installation of a new backdoor as part of a spear-phishing campaign targeting firms in the United Arab Emirates (UAE), particularly in the aviation, satellite communications, and transportation sectors.
The backdoor has been dubbed Sosano by researchers at Proofpoint, who made the discovery with help from PwC’s Threat Intelligence team.
The attack may be only in the UAE for now, but CISOs everywhere are advised to pay attention, because the tactic and backdoor may spread to other geographies.
Defenders should also note two other things about this campaign:
- the attackers first compromised the email account of an Indian electronics company, then used that access to send email messages with malicious links;
- the link led to a ZIP file that includes polyglot files to obfuscate payload content.
According to Proofpoint, the use by threat actors of polyglot files, which are files that can be interpreted by computers as multiple different formats, depending on how they are read, is “relatively uncommon for espionage-motivated actors.”
These files are created by carefully structuring data so that different parsers interpret the same file differently, often by exploiting format-specific quirks or overlapping headers.
One example of the use of polyglot files in malware campaigns is the Emmenhtal loader, which Proofpoint says is frequently seen in cybercriminal attack chains delivering information stealers or remote access trojans (RATs).
The report “shows both sophistication in targeting and lures on the social engineering side, as well as an equal level of sophistication in the use of polygot files,” said David Shipley, CEO of Canadian-based security awareness training firm Beauceron Security.
“This report shows that the great game between attackers and defenders is only limited by the creativity and time an attacker can put into a target. It shows the enduring need for both technology controls as well as positive security cultures that motivate people to spot, stop, and report threats.”
Shipley said one reason that polyglot files aren’t used a lot by threat actors is that “simple still works often enough that you don’t have to go that far for most targets.”
Proofpoint doesn’t know who the threat actors in this campaign are. But, it said, “the low volume of recipients, highly targeted nature of the lures, and numerous attempts to obfuscate the malware indicate an adversary with a clear mandate.”
How it started
In late October 2024, a person or persons got into an email account at an Indian electronics firm called INDIC Electronics. Using that access, the gang sent email messages to five of Proofpoint’s customers in the UAE who work in critical infrastructure companies.
In response to a query for more details, Proofpoint said the message “leveraged the trusted relationship between the compromised sender and the targets by using a business-to-business sales lure”, including an order form and a backgrounder on the company. The message also included URLs that apparently ended in [.]com; they looked as though they went to a legitimate INDIC Electronics home page. Instead they went to a phony domain called “indicelectronics[.]net” that contained a zip archive that appeared to include an XLS (Excel spreadsheet]) and two PDF files.
That would have fooled even suspicious email recipients, and possibly some defensive software. However, the supposed XLS was really a LNK file using a double extension (filename[.]xls[.]lnk), and the PDF files were both polyglots. One was appended with HTA [an HTML application], while the other had a zip archive appended.
The LNK file launched cmd[.]exe, the report said, and then used mshta[.]exe to execute the PDF/HTA polyglot file. The mshta[.]exe process goes though the file, past the PDF portion, until it finds the HTA header, and executes the content from there. The HTA script serves as an orchestrator, and it contains instructions for cmd[.]exe to carve out the executable and the URL file from the second PDF. Ultimately an executable looks for the Sosano backdoor hidden in the zip file.
The backdoor
The Sosano backdoor is a DLL written in Golang. The report said that while it is a large executable file (12 megabytes), it contains only a small amount of malicious code with a limited set of functionality. Upon execution of the malware, a subset of the strings is run through a de-obfuscation function and loaded into memory.
The program first sleeps for a random amount of time, using the current system time as a seed for the pseudo-random number generator. This sleep routine helps the malware evade detection in automated analysis sandboxes and endpoint defenses. After the sleep routine executes, the malware attempts to connect to its command-and-control server for further instructions.
Opportunities for detection
The report notes that the malware infection chain offers a variety of opportunities for detection. They include
- LNK files executing from recently created or unzipped directories;
- LNK files executing from a recently unzipped directory;
- a URL file in the Reg runkey;
- a URL file launching any file besides a web browser;
- and an executable file accessing a JPGfile from a user directory.
Among the lessons CISOs and CIOs can learn from this particular attack is the need to protect corporate domains from being spoofed.
