SloppyLemming Espionage Campaign Targets South and East Asia
On September 24, 2024, Cloudforce One published an extensive investigation into a sophisticated espionage campaign orchestrated by the advanced threat actor known as SloppyLemming.
Introduction
On September 24, 2024, Cloudforce One published an extensive investigation into a sophisticated espionage campaign orchestrated by the advanced threat actor known as SloppyLemming. This actor has been active since late 2022, predominantly targeting organizations in Pakistan, Bangladesh, Sri Lanka, and China. Through the use of various cloud service providers, SloppyLemming has leveraged phishing campaigns, credential harvesting, and malware distribution to compromise critical sectors, including government, law enforcement, telecommunications, and energy.
Report Overview
SloppyLemming, which Cloudforce One aligns with CrowdStrike's OUTRIDER TIGER, conducts widespread cyber operations across South and East Asia, with a specific focus on Pakistan. Cloudforce One's visibility into the actor's operations revealed the use of Cloudflare Workers to facilitate credential harvesting, malware delivery, and command and control (C2) communications. The campaign primarily involves phishing attacks that impersonate legitimate organizations to steal credentials and compromise email accounts.
The threat actor shows a noticeable lack of operational security (OPSEC), allowing Cloudforce One to gain insight into their tooling and methods. Investigators identified custom-built tools like CloudPhish, which automates the creation of malicious cloud infrastructure, enabling the actor to exfiltrate credentials and emails from targeted organizations.
SloppyLemming’s credential harvesting operations begin with spear-phishing emails designed to mimic legitimate correspondence from trusted sources. These emails include links to fake login portals created using Cloudflare Workers. Once a target enters their credentials, the information is sent to the threat actor via a Discord webhook.
Cloudforce One obtained a script used by the actor, which automates the process of harvesting emails from compromised accounts. The script, written in Python, logs into the victim's email inbox, navigates through emails, and downloads any attachments. The script further demonstrates how the actor gains persistent access to sensitive information, exploiting vulnerabilities in platforms like Google OAuth to steal tokens and exfiltrate data.
Moreover, SloppyLemming has been observed leveraging CVE-2023-38831, a vulnerability in older versions of WinRAR. The actor uses this exploit to deploy malware from cloud services like Dropbox, with the final payload being a remote access tool (RAT) designed to establish long-term access to victim systems.
SloppyLemming’s operations have been far-reaching, with a clear focus on Pakistani government and defense entities. Other high-profile targets include law enforcement agencies, energy sector organizations, and technology firms. Beyond Pakistan, Cloudforce One identified additional victims in Bangladesh, Sri Lanka, Nepal, and China.
Interestingly, the campaign has expanded to include a small but significant amount of C2 traffic from Australia, hinting at potential government-related targeting. SloppyLemming’s focus on credential harvesting, token collection, and malware deployment poses a severe risk to national security, critical infrastructure, and private sector organizations in the region.
Insights and Analysis
Cloudforce One, in collaboration with other industry partners such as Dropbox, Github, and Discord, has taken proactive measures to disrupt SloppyLemming’s operations. In total, Cloudforce One successfully mitigated 13 Cloudflare Workers involved in the campaign and deployed advanced detection capabilities to thwart future attacks.
To defend against SloppyLemming, Cloudforce One recommends the following steps:
- Implement Zero Trust architecture: Ensure all access points within the network are continuously verified.
- Deploy Endpoint Detection and Response (EDR): Tools like CrowdStrike or Microsoft Defender should be used to monitor and prevent malicious activities on endpoints.
- Monitor for Indicators of Compromise (IOCs): Regularly scan your environment for IOCs, including domain names and malware samples associated with SloppyLemming.
- Update Systems: Ensure all systems, especially those using WinRAR and Microsoft products, are up-to-date to mitigate vulnerabilities like CVE-2023-38831.
SloppyLemming’s activities highlight the growing threat of state-sponsored cyber espionage campaigns targeting critical industries in South and East Asia. Organizations operating in these regions should remain vigilant, adopt comprehensive security measures, and regularly monitor for potential signs of compromise.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| mail-na-gov-pk.na-gov-pk.workers[.]dev | Domain | Fake login portal for National Assembly of Pakistan used in credential harvesting operations. |
| storage-e13.sharepoint-e13.workers[.]dev | Domain | Cloudflare Worker used to collect Google OAuth tokens. |
| zoom.osutuga7.workers[.]dev | Domain | Malicious Worker used to reconstruct OAuth tokens and exfiltrate them over Discord. |
| sharepoint-punjab.sharepoint-e13.workers[.]dev | Domain | Cloudflare Worker used to redirect victims to a Dropbox-hosted RAR file exploiting WinRAR vulnerability. |
| pitb.gov-pkgov.workers[.]dev | Domain | Phishing domain masquerading as the Punjab Information Technology Board. |
| CamScanner-06-10-2024-15.29.rar | File (SHA256) | RAR file likely used to exploit CVE-2023-38831 vulnerability in WinRAR. |
| NekroWire.dll | File (SHA256) | Remote Access Tool (RAT) delivered through malware chain, exfiltrating data to adversary C2. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spear Phishing Attachment | T1566.001 | SloppyLemming sends spear phishing emails to gain initial access by tricking users into downloading malware. |
| Credential Access | Credential Dumping | T1003 | The actor harvests credentials using fake login portals and Cloudflare Workers for credential logging. |
| Defense Evasion | Exploitation for Defense Evasion | T1210 | Use of WinRAR vulnerability (CVE-2023-38831) to bypass security defenses and execute malware. |
| Command and Control | Web Service | T1102.001 | Cloudflare Workers are used to communicate with the C2 infrastructure and exfiltrate data. |
| Collection | Email Collection | T1114 | SloppyLemming collects emails from compromised accounts after obtaining login credentials. |
References
Comments ()