Headline
Cloudflare Warns of India-Linked Hackers Targeting South and East Asian Entities
An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2). Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant. "Between late 2022 to present, SloppyLemming
Cloud Security / Cyber Espionage
An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant.
“Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries,” Cloudflare said in an analysis.
SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been linked to SideCopy, a threat actor likely of Pakistani origin.
Targets of the SloppyLemming’s activity span government, law enforcement, energy, education, telecommunications, and technology entities located in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
The attack chains involve sending spear-phishing emails to targets that aim to trick recipients into clicking on a malicious link by inducing a false sense of urgency, claiming that they need to complete a mandatory process within the next 24 hours.
Clicking on the URL takes the victim to a credential harvesting page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations that are of interest.
“The actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor,” the company said.
Some of the attacks undertaken by SloppyLemming have leveraged similar techniques to capture Google OAuth tokens, as well as employ booby-trapped RAR archives (“CamScanner 06-10-2024 15.29.rar”) that likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.
Present within the RAR file is an executable that, besides displaying the decoy document, stealthily loads “CRYPTSP.dll,” which serves as a downloader to retrieve a remote access trojan hosted on Dropbox.
It’s worth mentioning here that cybersecurity company SEQRITE detailed an analogous campaign undertaken by the SideCopy actors last year targeting Indian government and defense sectors to distribute the Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip” that are engineered to trigger the same vulnerability.
A third infection sequence employed by SloppyLemming entails using spear-phishing lures to lead prospective targets to a phony website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an internet shortcut (URL) file.
The URL file comes embedded with code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that’s used to sideload a rogue DLL named profapi.dll that subsequently communicates with a Cloudflare Worker.
These Cloudflare Worker URLs, the company noted, act as an intermediary, relaying requests to the actual C2 domain used by the adversary (“aljazeerak[.]online”).
Cloudflare said it “observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations,” adding “there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan’s sole nuclear power facility.”
Some of the other targets of credential harvesting activity encompass Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have released a joint advisory about a China-linked cyber espionage group called APT40, warning about its ability to co-opt exploits for newly disclosed security flaws within hours or days of public release. "APT 40 has previously targeted organizations in various countries, including
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28, have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with
By Waqas UAC-0099 is a pro-Russian hacking group that has been targeting Ukraine since the conflict between the two countries began. This is a post from HackRead.com Read the original post: UAC-0099 Hackers Using Old WinRAR Flaw in New Cyberattack on Ukraine
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28,
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good
The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and DRat. Enterprise security firm SEQRITE described the campaign as multi-platform, with the attacks also designed to infiltrate Linux systems with a
This Metasploit module exploits a vulnerability in WinRAR (CVE-2023-38831). When a user opens a crafted RAR file and its embedded document, the decoy document is executed, leading to code execution.
Hello everyone! This month I decided NOT to make an episode completely dedicated to Microsoft Patch Tuesday. Instead, this episode will be an answer to the question of how my Vulnerability Management month went. A retrospection of some kind. Alternative video link (for Russia): https://vk.com/video-149273431_456239134 GitHub exploits and Vulristics This month I made some improvements […]
By Habiba Rashid The 0-day vulnerability in WinRAR, which has been exploited, is targeting traders and has successfully stolen funds from 130 victims so far. This is a post from HackRead.com Read the original post: WinRAR users update your software as 0-day vulnerability is found