An advanced threat actor with an Indian connection was observed using multiple cloud service providers to facilitate credential collection, malware delivery, and management (C2).
Web infrastructure and security company Cloudflare tracks activity under this name SloppyLemmingwhich is also called Weekend tiger and fishing elephant.
“From late 2022 to the present, SloppyLemming regularly used Cloudflare Workers, likely as part of a broad espionage campaign targeting countries in South and East Asia,” Cloudflare said in the analysis.
SloppyLemming is believed to have been active since at least July 2021, with previous campaigns using malware such as the Ares RAT and WarHawkthe latter of which is also linked to a well-known hacking group called SideWinder. Use of the Ares RAT, on the other hand, has been linked to SideCopythreat actor, likely of Pakistani origin.
SloppyLemming targets government, law enforcement, energy, education, telecommunications and technology organizations located in Pakistan, Sri Lanka, Bangladesh, China, Nepal and Indonesia.
Chain attacks involve sending phishing emails to targets that aim to trick recipients into clicking on a malicious link, creating a false sense of urgency by claiming they have to complete a mandatory process within the next 24 hours.
Clicking on the URL takes the victim to a credential collection page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations of interest.
“The actor uses a custom-built tool called CloudPhish to create a malicious Cloudflare Worker to handle the credential registration logic and issue the victim’s credentials to the threat actor,” the company said.
Some SloppyLemming attacks used similar techniques to capture Google OAuth tokens, as well as mined RAR archives (“CamScanner 06-10-2024 15.29.rar”), which likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.
The RAR file contains an executable file that, in addition to displaying the decoy document, stealthily loads “CRYPTSP.dll”, which serves as the bootloader for the remote access trojan hosted on Dropbox.
Cyber security company SEQRITE should be mentioned here in detail a similar campaign by SideCopy members last year targeted the Indian government and defense sector to distribute the Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip” that are designed to cause the same vulnerability .
The third infection sequence used by SloppyLemming is to use phishing lures to redirect potential targets to a fake website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an Internet shortcut (URL ). file.
The URL file comes with embedded code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that is used to load a fake DLL called profapi.dll, which then interacts with the Cloudflare Worker.
The company noted that these Cloudflare Worker URLs act as intermediaries, forwarding requests to the actual C2 domain used by the adversary (“aljazeerak(.)online”).
Cloudflare said it had “observed a concerted effort by SloppyLemming to attack Pakistan’s police departments and other law enforcement agencies,” adding that “there are indications that the actor has targeted organizations involved in the operation and maintenance of Pakistan’s only nuclear power facility.” “.
Some of the other targets of credential harvesting activities include government and military organizations in Sri Lanka and Bangladesh and, to a lesser extent, Chinese energy and academic organizations.
