The archive contains an LNK (Windows shortcut) file disguised as an XLS, as well as two PDF files ("about-indic.pdf" and "electronica-2024.pdf"). Both PDFs are polyglot files containing a legitimate PDF file structure but an additional malicious file structure. The main benefit of using polyglots is evasion, as most security tools will inspect the first file format (PDF), which is a benign document, and completely ignore the malicious hidden portion (HTA/ZIP payloads). Defending against polyglot threats requires a multifaceted approach combining email scanning, user education, and security software that can detect multiple file formats in a single file. The hidden archive inside the second PDF writes a URL file to the Windows Registry for persistence and then executes an XOR-encoded JPEG file that decodes a DLL payload ("yourdllfinal.dll"), which is the Sosano backdoor. Once it's activated, Sonaso establishes a connection with its command-and-control (C2) server at "bokhoreshonline[.]com" and awaits commands, including file operations, shell command execution, and fetching and launching additional payloads. Polyglot malware consists of specially crafted files that contain multiple file formats, allowing them to be interpreted differently by various applications. For example, a single file could be structured as both a valid MSI (Windows installer) and a JAR (Java archive), causing Windows to recognize it as an MSI while the Java runtime interprets it as a JAR. When executing the LNK file, cmd.exe launches mshta.exe, which executes the HTA script hidden inside the first PDF, triggering the launch of the second PDF file. The activity was discovered by Proofpoint in October 2024, which states that the attacks are linked to a threat actor named 'UNK_CraftyCamel.' While the campaign is still small, the researchers report that it is still advanced and dangerous to targeted companies. If not needed in daily operations, blocking dangerous file types such as LNKs, HTAs, and ZIPs at the email gateway is prudent. This technique enables attackers to stealthily deliver malicious payloads by evading security software, which typically analyzes files based on a single format. Proofpoint says Sosano is a relatively simple Go-based payload with limited functionality that was likely bloated to 12MB in size to obfuscate what small amounts of malicious code it uses. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. The malware delivers a backdoor called Sosano, which establishes persistence on the infected devices and allows the attackers to execute commands remotely. In the new campaign observed by Proofpoint, the attack begins with a highly targeted spear-phishing email sent from a compromised Indian electronics company (INDIC Electronics).
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 04 Mar 2025 16:20:05 +0000