Cloudflare Alerts of Indian-Connected Hackers Targeting Entities in South and East Asia
An advanced threat actor with a link to India has been noticed using various cloud service providers to support credential collection, malware distribution, and command-and-control (C2) operations.
Cloud infrastructure and security firm Cloudflare is monitoring the operations under the title SloppyLemming, also known as Outrider Tiger and Fishing Elephant.
“From late 2022 to the present, SloppyLemming has consistently employed Cloudflare Workers, possibly as part of a wide-range spying campaign focused on South and East Asian nations,” Cloudflare announced in a study.
It is believed that SloppyLemming has been active since at least July 2021, with previous operations utilizing malware like Ares RAT and WarHawk, with the latter also connected to a known hacker group named SideWinder. On the other hand, the usage of Ares RAT has been attributed to SideCopy, a threat actor likely from Pakistan.
The targets of SloppyLemming’s activities include government, law enforcement, energy, educational, telecommunications, and technology organizations situated in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
The attack strategies involve sending targeted phishing emails to victims designed to deceive them into clicking on a harmful link by creating a false sense of urgency, claiming that they must complete a compulsory process within 24 hours.
Once the link is clicked, the victim is redirected to a page for credential harvesting, enabling the threat actor to gain unauthorized entry to specific email accounts within targeted organizations.
“The attacker utilizes a custom tool named CloudPhish to develop a rogue Cloudflare Worker to manage the credential logging operations and transfer victim credentials to the threat actor,” the firm stated.
Some of the attacks carried out by SloppyLemming have utilized similar techniques to capture Google OAuth tokens, as well as deploy booby-trapped RAR archives (“CamScanner 06-10-2024 15.29.rar”) likely exploiting a WinRAR vulnerability (CVE-2023-38831) to execute remote code.
Contained within the RAR file is an executable that, besides displaying a fake document, secretly loads “CRYPTSP.dll,” serving as a downloader to retrieve a remote access trojan hosted on Dropbox.
It’s important to note that cybersecurity firm SEQRITE outlined a similar campaign undertaken by the SideCopy actors last year, targeting Indian government and defense sectors to distribute the Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip” designed to exploit the same vulnerability.
A third method employed by SloppyLemming involves using deceptive phishing baits to direct potential targets to a fake website imitating the Punjab Information Technology Board (PITB) in Pakistan, before redirecting them to another site containing a URL file.
The URL file is embedded with code to download another file, an executable named PITB-JR5124.exe, from the same server. The file is legitimate and is used to load a rogue DLL named profapi.dll that communicates with a Cloudflare Worker.
These Cloudflare Worker URLs act as an intermediary, forwarding requests to the actual C2 domain utilized by the attacker (“aljazeerak[.]online”).
Cloudflare mentioned that it “detected organized attempts by SloppyLemming to target Pakistani police departments and other law enforcement bodies,” stating “indications suggest that the actor has focused on organizations involved in the operation and maintenance of Pakistan’s only nuclear power facility.”
Other targets of credential collection activities include government and military entities in Sri Lanka and Bangladesh, as well as to a lesser extent, energy and academic institutions in China.
About Author
