Date: 03/13/2025
Severity: Medium
Summary
Iranian hackers are suspected of using a compromised email account from the Indian company INDIC Electronics to launch a targeted phishing campaign against UAE’s aviation and satellite communications sectors. The attack involved obfuscated malicious files and scripts, ultimately delivering a DLL backdoor, Sosano. This sophisticated campaign, likely linked to Iranian-aligned actors, aimed at critical infrastructure and demonstrated advanced evasion techniques.However, Researchers assess with moderate confidence that the campaign may be linked to an Iranian-aligned actor, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC).
Indicators of Compromise (IOC) List
URL/Domain | indicelectronics.net bokhoreshonline.com |
Hash |
fbf3c44fdf1d635d1142ae0ec32fe887
19dabeca5fe5f5f35382f8e19c0d4403
35c29b31c3564e7d7cae9901299d41dd
6bd3be2a2d5d01ffa2c061ed63ac290f
304a9849894df9e6b3d381f2d24bcf2ef5b497fb
f336903e65598cdc4908ee4ac0ff106c8c7fb027
cf136da651dfb9104dcba68460ff57288b8c2ff9
f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4
336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14
394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3
e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626
0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "indicelectronics.net" or url like "indicelectronics.net" or userdomainname like "bokhoreshonline.com" or url like "bokhoreshonline.com" |
Detection Query 2 |
md5hash IN ("fbf3c44fdf1d635d1142ae0ec32fe887","19dabeca5fe5f5f35382f8e19c0d4403","35c29b31c3564e7d7cae9901299d41dd","6bd3be2a2d5d01ffa2c061ed63ac290f") |
Detection Query 3 |
sha1hash IN ("304a9849894df9e6b3d381f2d24bcf2ef5b497fb","f336903e65598cdc4908ee4ac0ff106c8c7fb027","cf136da651dfb9104dcba68460ff57288b8c2ff9","f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4") |
Detection Query 4 |
sha256hash IN ("336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14","394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3","e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626","0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327") |
Reference:
https://rewterz.com/threat-advisory/iranian-hackers-allegedly-used-indian-firms-compromised-email-to-target-uae-aviation-sector-active-iocs