Just a sample of the Echomail archive
Cooperative anarchy at its finest, still active today. Darkrealms is the Zone 1 Hub.
| CONSPRCY | How big is your tinfoil hat? | 2,445 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 640 of 2,445 |
| Mike Powell to All |
| Aviaton firms hit by devi |
| 06 Mar 25 08:54:00 |
TZUTC: -0500 MSGID: 354.consprcy@1:2320/105 2c2ee48f PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0 TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0 BBSID: CAPCITY2 CHRS: ASCII 1 Aviaton firms hit by devious new polyglot malware Date: Wed, 05 Mar 2025 15:15:00 +0000 Description: Hackers are engaged in a highly targeted attack, targeting individuals in UAE. FULL STORY ====================================================================== - Proofpoint observes a sophisticated BEC attack in the UAE - The attackers used a compromised email account to share polyglot files with their victims - These files deploy a hidden backdoor against aviation firms Aviation firms in the United Arab Emirates (UAE) were recently targeted by a highly sophisticated business email compromise (BEC) attack looking to deploy advanced malware . Cybersecurity researchers Proofpoint recently said they observed customers in the country, with a distinct interest in aviation and satellite communications organizations, along with critical transportation infrastructure, being targeted. The attacks started in late 2024, when a threat actor dubbed UNK_CraftyCamel compromised an Indian electronics company the aviation firms did business with in the past. They used that companys email account to spread multiple polyglot files, and by using their partners email account, the attackers retained a sense of legitimacy, while trying to deploy malware in typical BEC fashion. Unknown attackers The infection chain they were looking for starts with polyglot files - these are files that can function as multiple formats simultaneously, allowing them to evade traditional detection mechanisms. While somewhat uncommon, polyglot files were observed in cyberattacks before, Proofpoint says, most notably in the Emmenthaler loader attacks. Eventually, these files lead to the installation of a custom Go-based backdoor called Sosano, designed to maintain access and execute other malicious commands remotely. The attackers effort to conceal the attack didnt stop with polyglot files, either. The backdoors size was bloated through unused Golang libraries, and its execution was delayed, to avoid detection in sandbox environments. Proofpoint said Sosano connected to a remote server bokhoreshonline[.]com to receive commands and potentially download further payloads. While the researchers do not directly link UNK_CraftyCamel to known groups, they note similarities with Iran-aligned threat actors TA451 and TA455, both associated with the Islamic Revolutionary Guard Corps (IRGC). Both groups historically focused on targeting aerospace aligned organizations. Furthermore,TA451 and UNK_CraftyCamel both used HTA files in highly targeted campaigns in the UAE; and TA455 and UNK_CraftyCamel share a preference for approaching targets with business-to-business sales offers, followed by targeting engineers within the same companies, the researchers said. Despite these similarities, Proofpoint assesses UNK_CraftyCamel to be a separate cluster of intrusion activity. ====================================================================== Link to news story: https://www.techradar.com/pro/security/aviaton-firms-hit-by-devious-new-polygl ot-malware $$ --- SBBSecho 3.20-Linux * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105) SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30 SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664 SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45 SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35 PATH: 2320/105 229/426 |
(c) 1994, bbs@darkrealms.ca