Iranian Hackers Allegedly Used Indian Firm’s Compromised Email to Target UAE Aviation Sector

    Date: 03/13/2025

    Severity: Medium

    Summary

    Iranian hackers are suspected of using a compromised email account from the Indian company INDIC Electronics to launch a targeted phishing campaign against UAE’s aviation and satellite communications sectors. The attack involved obfuscated malicious files and scripts, ultimately delivering a DLL backdoor, Sosano. This sophisticated campaign, likely linked to Iranian-aligned actors, aimed at critical infrastructure and demonstrated advanced evasion techniques.However, Researchers assess with moderate confidence that the campaign may be linked to an Iranian-aligned actor, possibly affiliated with the Islamic Revolutionary Guard Corps (IRGC).

    Indicators of Compromise (IOC) List

    URL/Domain

    indicelectronics.net

    bokhoreshonline.com

    Hash

    fbf3c44fdf1d635d1142ae0ec32fe887
    
    19dabeca5fe5f5f35382f8e19c0d4403
    
    35c29b31c3564e7d7cae9901299d41dd
    
    6bd3be2a2d5d01ffa2c061ed63ac290f
    
    304a9849894df9e6b3d381f2d24bcf2ef5b497fb
    
    f336903e65598cdc4908ee4ac0ff106c8c7fb027
    
    cf136da651dfb9104dcba68460ff57288b8c2ff9
    
    f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4
    
    336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14
    
    394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3
    
    e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626
    
    0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    userdomainname like "indicelectronics.net" or url like "indicelectronics.net" or userdomainname like "bokhoreshonline.com" or url like "bokhoreshonline.com"

    Detection Query 2

    md5hash IN ("fbf3c44fdf1d635d1142ae0ec32fe887","19dabeca5fe5f5f35382f8e19c0d4403","35c29b31c3564e7d7cae9901299d41dd","6bd3be2a2d5d01ffa2c061ed63ac290f")

    Detection Query 3

    sha1hash IN ("304a9849894df9e6b3d381f2d24bcf2ef5b497fb","f336903e65598cdc4908ee4ac0ff106c8c7fb027","cf136da651dfb9104dcba68460ff57288b8c2ff9","f5e1b8a9a9ebce41fe734b82a312046b3d7d44a4")

    Detection Query 4

    sha256hash IN ("336d9501129129b917b23c60b01b56608a444b0fbe1f2fdea5d5beb4070f1f14","394d76104dc34c9b453b5adaf06c58de8f648343659c0e0512dd6e88def04de3","e692ff3b23bec757f967e3a612f8d26e45a87509a74f55de90833a0d04226626","0c2ba2d13d1c0f3995fc5f6c59962cee2eb41eb7bdbba4f6b45cba315fd56327")

    Reference:

    https://rewterz.com/threat-advisory/iranian-hackers-allegedly-used-indian-firms-compromised-email-to-target-uae-aviation-sector-active-iocs


    Tags

    MalwarePhishingUAECommunicationsCritical InfrastructureIranIRGC

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags