An advanced threat actor with ties to India has been observed exploiting multiple cloud service providers for credential harvesting, malware delivery, and command-and-control (C2) operations. This cyber espionage group, dubbed SloppyLemming by web infrastructure and security company Cloudflare, is also known under the aliases Outrider Tiger and Fishing Elephant.
SloppyLemming has been active since at least July 2021, targeting a wide range of entities, including government, law enforcement, energy, education, telecommunications, and technology organizations across South and East Asia. Countries affected include Pakistan, Sri Lanka, Bangladesh, China, Nepal, and Indonesia.
Cloud Service Exploitation and Campaign Tactics
Cloudflare reports that SloppyLemming has extensively used Cloudflare Workers since late 2022 to support its espionage operations. Cloudflare Workers allow developers to execute JavaScript in the cloud, but in this case, SloppyLemming leveraged them for malicious purposes, including handling credential logging and exfiltration.
The group employs spear-phishing techniques to initiate its attacks. Victims receive emails designed to create a sense of urgency, compelling them to click on a malicious link under the pretense of needing to complete an essential process. These emails often lead to credential harvesting pages, giving SloppyLemming unauthorized access to the victims' accounts within targeted organizations.
One of the key tools in SloppyLemming's arsenal is a custom-built tool called CloudPhish, which is used to create malicious Cloudflare Workers for logging and exfiltrating credentials. In some cases, the group also captures Google OAuth tokens to gain access to email accounts or cloud-based services.
Malware and Exploits
The malware delivered by SloppyLemming is varied and sophisticated. The group has previously deployed malware like Ares RAT and WarHawk, linking it to known hacking groups such as SideWinder and SideCopy. SideWinder has been associated with Indian origins, while SideCopy is believed to be a Pakistani threat actor.
One infection method used by SloppyLemming involves booby-trapped RAR archives, such as a file named "CamScanner 06-10-2024 15.29.rar," which likely exploits a known WinRAR vulnerability (CVE-2023-38831) to achieve remote code execution. The RAR files contain an executable that stealthily loads a malicious DLL, CRYPTSP.dll, designed to retrieve a remote access trojan (RAT) from Dropbox.
This technique bears similarities to past attacks by the SideCopy group, which used Ares RAT to target Indian government and defense sectors by distributing malicious ZIP archives. These campaigns often exploited the same vulnerabilities to distribute malware.
Targeted Phishing and Sideloading Attacks
SloppyLemming has also used phishing tactics targeting the Punjab Information Technology Board (PITB) in Pakistan. The group created a fake PITB website, redirecting visitors to a page containing an internet shortcut file designed to download and execute a malicious binary. This executable was used to sideload a rogue DLL file, profapi.dll, which communicated with the group’s C2 infrastructure.
Cloudflare Workers as C2 Intermediaries
A significant aspect of SloppyLemming’s strategy is its use of Cloudflare Worker URLs as intermediaries. These URLs relay requests to the actual C2 domains operated by the group, such as aljazeerak[.]online. By using Cloudflare Workers, SloppyLemming adds an extra layer of obfuscation, making it harder to trace the true origin of their C2 infrastructure.
Targeted Sectors and Geopolitical Implications
Cloudflare's analysis reveals that SloppyLemming has focused on entities of critical importance, particularly in Pakistan. The group's targets include Pakistani police departments, law enforcement agencies, and organizations involved in the operation of Pakistan's sole nuclear power facility. This suggests that the group is targeting entities of strategic value, potentially to gather intelligence on Pakistan’s security infrastructure.
In addition to Pakistan, SloppyLemming has targeted government and military organizations in Sri Lanka and Bangladesh, as well as Chinese entities in the energy and academic sectors. This wide range of targets indicates a broad espionage campaign with significant geopolitical implications, especially given the tension in South Asia between rival nations.
Conclusion
SloppyLemming is a complex and persistent threat actor that continues to evolve its tactics to exploit cloud infrastructure, deliver malware, and engage in credential harvesting. Although the group's use of Cloudflare Workers is innovative, their reliance on spear-phishing, malware distribution, and sideloading techniques suggests that they are well-versed in traditional espionage methodologies.
This campaign, which spans multiple countries and critical sectors, underscores the need for heightened cybersecurity vigilance across the region. As cloud service providers become a more integral part of cyber operations, both legitimate and malicious, organizations will need to stay ahead of emerging threats like SloppyLemming and its many aliases.
