Threat Research

Exploring SloppyLemming’s Operations Throughout South Asia

Securonix

Cloudforce One’s investigation reveals SloppyLemming, an advanced threat actor using multiple cloud providers for credential harvesting, malware delivery, and command-and-control, with a primary focus on government and technology sectors in South and East Asia, especially Pakistan. The report documents custom tools like CloudPhish and WinRAR exploits (CVE-2023-38831) used to harvest credentials and deploy malware, alongside observable OPSEC weaknesses and mitigations via Cloudflare and partner cooperation. #SloppyLemming #OUTRIDER_TIGER #CloudPhish #WinRAR #CVE-2023-38831 #CloudflareWorkers #Pakistan #Dropbox #GoogleOAuth

Keypoints

  • Actor Identification: SloppyLemming is linked to the adversary OUTRIDER TIGER tracked by CrowdStrike.
  • Target Regions: Primarily Pakistan, with additional focus on Bangladesh, Sri Lanka, Nepal, and China.
  • Phishing Techniques: Utilizes tailored phishing emails and a custom tool called CloudPhish for credential harvesting.
  • Malware Delivery: Distributes malware via Dropbox and exploits vulnerabilities in WinRAR.
  • Operational Security: SloppyLemming demonstrates poor OPSEC, allowing insights into their methods and tools.
  • Mitigation Efforts: Cloudforce One has implemented detection measures and notified relevant cloud service providers to disrupt SloppyLemming’s operations.

MITRE Techniques

  • [T1566] Phishing – Tailored phishing emails crafted to deceive targets into clicking malicious links. “crafts tailored phishing emails to deceive targets into clicking malicious links.”
  • [T1003] Credential Dumping – Credential harvesting to gain access to targeted email accounts. “credential harvesting as a means to gain access to targeted email accounts.”
  • [T1219] Remote Access Tools – Deploys RATs to maintain access to compromised systems. “Deploys RATs to maintain access to compromised systems.”
  • [T1203] Exploitation of Vulnerability – Exploits CVE-2023-38831 in WinRAR to execute malicious payloads. “Exploits CVE-2023-38831 in WinRAR to execute malicious payloads.”
  • [T1071] Command and Control – Uses Cloudflare Workers for C2 communications. “Utilizes Cloudflare Workers for command and control communications.”

Indicators of Compromise

  • [Domain] – Domains used for C2 and credential harvesting – mail-na-gov-pk.na-gov-pk.workers.dev, pitb.gov-pkgov.workers.dev, and other actor-controlled domains.
  • [IP Address] – Resolved IPs used in C2 communications – 8.219.169.226, 47.74.10.112.
  • [Hash] – File hashes associated with payloads – a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b216327591b1e1113391c609fd17, b6ae5b714f18ca40a111498d0991e1e30cd5317b4904d2ef0d49937f0552000.
  • [File name] – RAR/ZIP contents and executables – “CamScanner 06-10-2024 15.29.rar”, “CamScanner 06-12-2024 15.29.pdf” (and “CryptSP.dll”, “NekroWire.dll”).
  • [URL] – Malicious login/redirect URLs used in credential harvesting – https://mail-na-gov-pk.na-gov-pk.workers.dev/api/login, https://zoom.osutuga7.workers.dev/authenticate.
  • [Domain] – Masquerading domains and infrastructure – mailpitb-securedocs.zapto.org, pitb.zapto.org/webdav/pitb, aljazeerak.online.

Read more: https://www.cloudflare.com/en-in/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/