In response to a query for more details, Proofpoint said the message “leveraged the trusted relationship between the compromised sender and the targets by using a business-to-business sales lure”, including an order form and a backgrounder on the company. The message also included URLs that apparently ended in [.]com; they looked as though they went to a legitimate INDIC Electronics home page. Instead they went to a phony domain called “indicelectronics[.]net” that contained a zip archive that appeared to include an XLS (Excel spreadsheet]) and two PDF files.
That would have fooled even suspicious email recipients, and possibly some defensive software. However, the supposed XLS was really a LNK file using a double extension (filename[.]xls[.]lnk), and the PDF files were both polyglots. One was appended with HTA [an HTML application], while the other had a zip archive appended.
The LNK file launched cmd[.]exe, the report said, and then used mshta[.]exe to execute the PDF/HTA polyglot file. The mshta[.]exe process goes though the file, past the PDF portion, until it finds the HTA header, and executes the content from there. The HTA script serves as an orchestrator, and it contains instructions for cmd[.]exe to carve out the executable and the URL file from the second PDF. Ultimately an executable looks for the Sosano backdoor hidden in the zip file.
