An advanced threat actor with an India nexus has been observed using multiple cloud service providers to facilitate credential harvesting, malware delivery, and command-and-control (C2).
Web infrastructure and security company Cloudflare is tracking the activity under the name SloppyLemming, which is also called Outrider Tiger and Fishing Elephant.
“Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries,” Cloudflare said in an analysis.
SloppyLemming is assessed to be active since at least July 2021, with prior campaigns leveraging malware such as Ares RAT and WarHawk, the latter of which is also linked to a known hacking crew called SideWinder. The use of Ares RAT, on the other hand, has been attributed to SideCopy, a threat actor likely of Pakistani origin.
Targets of the SloppyLemming’s activity span government, law enforcement, energy, education, telecommunications, and technology entities located in Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
The attack chains involve sending spear-phishing emails to targets that aim to trick recipients into clicking on a malicious link by inducing a false sense of urgency, claiming that they need to complete a mandatory process within the next 24 hours.
Clicking on the URL takes the victim to a credential harvesting page, which then serves as a mechanism for the threat actor to gain unauthorized access to targeted email accounts within organizations that are of interest.
“The actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor,” the company said.
Some of the attacks undertaken by SloppyLemming have leveraged similar techniques to capture Google OAuth tokens, as well as employ booby-trapped RAR archives (“CamScanner 06-10-2024 15.29.rar”) that likely exploit a WinRAR flaw (CVE-2023-38831) to achieve remote code execution.
Present within the RAR file is an executable that, besides displaying the decoy document, stealthily loads “CRYPTSP.dll,” which serves as a downloader to retrieve a remote access trojan hosted on Dropbox.
It’s worth mentioning here that cybersecurity company SEQRITE detailed an analogous campaign undertaken by the SideCopy actors last year targeting Indian government and defense sectors to distribute the Ares RAT using ZIP archives named “DocScanner_AUG_2023.zip” and “DocScanner-Oct.zip” that are engineered to trigger the same vulnerability.
A third infection sequence employed by SloppyLemming entails using spear-phishing lures to lead prospective targets to a phony website that impersonates the Punjab Information Technology Board (PITB) in Pakistan, after which they are redirected to another site that contains an internet shortcut (URL) file.
The URL file comes embedded with code to download another file, an executable named PITB-JR5124.exe, from the same server. The binary is a legitimate file that’s used to sideload a rogue DLL named profapi.dll that subsequently communicates with a Cloudflare Worker.
These Cloudflare Worker URLs, the company noted, act as an intermediary, relaying requests to the actual C2 domain used by the adversary (“aljazeerak[.]online”).
Cloudflare said it “observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations,” adding “there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan’s sole nuclear power facility.”
Some of the other targets of credential harvesting activity encompass Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities.