Unraveling SloppyLemming’s operations across South Asia

Table of contents

Executive summary

Who is SloppyLemming?

SloppyLemming phishing activity focuses on credential, token collection

Malware operations

Additional C2 infrastructure and traffic analysis

SloppyLemming targeting and victimology

Mitigating SloppyLemming activity

Cloudflare product detections

Indicators of compromise

Related products

Cloud email security
Secure web gateway

Cloudforce One is publishing the results of an investigation into an advanced actor that uses multiple cloud service providers to facilitate different aspects of their activities, such as credential harvesting, malware delivery and command and control (C2). This actor conducts extensive operations targeting Pakistani, Sri Lanka, Bangladesh, and China. Industries targeted include government, law enforcement, energy, telecommunications, and technology entities.

Executive summary

• Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers likely as part of a broad espionage campaign targeting South and East Asian countries

• SloppyLemming displays a lack of operational security (OPSEC) allowing Cloudforce One insight into its tooling

• The actor primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations; SloppyLemming also targets Bangladesh, Sri Lanka, Nepal, and China

Who is SloppyLemming?

SloppyLemming is the cryptonym given by Cloudforce One to this threat actor, which aligns with the adversary OUTRIDER TIGER tracked by CrowdStrike. The actor predominantly relies on open source adversary emulation frameworks, such as Cobalt Strike, Havoc, and others. Based on Cloudflare’s visibility, the actor predominantly targets within Asia. Pakistan is a primary target for SloppyLemming; however, the actor also routinely targets Bangladesh, Indonesia, Sri Lanka, China, and Nepal. Targeted sectors predominantly consist of government entities within Pakistan.

SloppyLemming phishing activity focuses on credential, token collection

SloppyLemming extensively uses credential harvesting as a means to gain access to targeted email accounts within organizations that provide intelligence value to the actor. Throughout our research, Cloudforce One has been able to replicate the actor’s credential harvesting chain. Through our unique visibility, we have also obtained actor-side tools that help facilitate the creation of malicious Workers used in credential harvesting operations, and a utility to collect emails from compromised accounts

SloppyLemming credential harvesting overview

First, SloppyLemming operators will craft a phishing email that is likely tailor-made for the target to ensure a higher degree of success in the user clicking a malicious link. An example draft phishing email obtained by Cloudforce One can be found below:

Next, the actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor. CloudPhish works in the following manner:

1. Operator inputs the following parameters:

   1. “Mission” name (Generally, the target of the operation)

   2. ​​Target URL

   3. Discord Webhook URL

   4. Redirect URL

   5. Cloudflare URL

2. Scrapes targeted webmail login HTML content

   1. Checks if its a support mail client (i.e. Zimbra, Axigen, or cPanel)

   2. Replaces legitimate code within scraped webmail login with a link to a malicious Worker’s redirect endpoint

3. Assembles final Worker script

   1. Inputs final HTML code of fraudulent login portal with actor redirect

   2. Implements credential logging and exfiltration over Discord

SloppyLemming operators will then send malicious emails to their intended targets, and upon receiving login credentials for a compromised account, the actor will then collect emails of interest from the victim. Cloudforce One obtained a copy of a likely actor-side script that allows for the collection of emails from a given account. Portions of this script are detailed below.

Cloudforce One obtained a tutorial likely created by the threat actor where they explain how to use their CloudPhish tool to create a malicious script for credential harvesting operations.

The above screenshot is taken from the training materials, where the actor has created a fake login page masquerading as the webmail portal for the National Assembly of Pakistan. The credential harvesting page is hosted at the Cloudflare Worker domain hxxps[:]//mail-na-gov-pk.na-gov-pk.workers[.]dev/api/login.

SloppyLemming Google OAuth token collection

In a limited capacity, we have observed SloppyLemming activity focusing on collecting Google OAuth tokens. Cloudforce One identified a script hosted at storage-e13.sharepoint-e13.workers[.]dev, which contained code that upon visiting the domain displayed to the user a PDF loaded as an iFrame.

After the PDF loads, the user is then redirected to another malicious Worker at the URL https[:]//zoom.osutuga7.workers[.]dev/authenticate,
where the server-side code (portions of which are provided below) attempts
to reconstruct the user’s Gmail OAuth token to transmit back to the adversary. Similar to how the actor sends credentials via Discord, the OAuth token is also delivered to the actor over Discord.

Finally, another decoy PDF is displayed in the browser following the token’s collection by the adversary. In this instance, the decoy PDF is a contract update between Taxila Heavy Industries (a Pakistani state-owned enterprise and defense contractor that produces tanks, personnel carriers, and other military vehicles) and a Pakistani metal fabrication company named International Fabrication Company.

Malware operations

During July 2024, Cloudforce One identified a SloppyLemming Worker that redirects a user to a file hosted on Dropbox. The Worker - sharepoint-punjab.sharepoint-e13.workers[.]dev - contains code that checks if the user is presented a link containing a PDF file named “CamScanner-06-10-2024-15.29.pdf”, and if the condition is met the user is then redirected to a Dropbox URL, as shown in the code below:

The file hosted on Dropbox is a RAR file named “CamScanner 06-10-2024 15.29.rar” (SHA256 hash: a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b2
16327591b1e1113391c609fd17). The RAR likely attempts to exploit CVE-2023-38831 - a vulnerability in WinRAR versions before 6.23, which Cloudforce One also observed FlyingYeti use during its COOKBOX campaign targeting Ukraine. The contents of the RAR file are as follows:

The RAR contains a PDF with the same name as a subdirectory with executable content inside. When attempting to access a file contained in the archive with a vulnerable version of WinRAR, the contents of the directory will also be executed. In this case, the “CamScanner 06-12-2024 15.29.pdf .exe” file is run, which is used to load CRYPTSP.dll via DLL side-loading.

CRYPTSP.dll in turn acts as a downloader, which downloads from Dropbox a file named Outlook.eml (SHA256 hash: b6ae5b714f18ca40a111498d0991e1e30cd9
5317b4904d2ef0d49937f0552000). The file is not actually an email file, but a renamed Dynamic Link Library (DLL) with an internal name of NekroWire.dll. The final payload is a Remote Access Tool (RAT) that reaches out to several Cloudflare Workers, which all contain the same C2 address - redzone.apl-org[.]online. The Worker code that handles the C2 communications contains configuration information, which can be found below.

Separate SloppyLemming infection chain observed

A separate infection chain used by SloppyLemming likely consists of the actor sending a spear phishing message with a link to the domain mailpitb-securedocs.zapto[.]org, which masquerades as the Punjab Information Technology Board in Pakistan. An identified actor Github account contains code that logs when targets navigate to mailpitb-securedocs.zapto[.]org, and then transmits the logs to the actor via Discord. The target is then directed to \\pitb.zapto[.]org@SSL@443\webdav. The code that handles this part of the infection chain is below:

The value of the file variable in the code above is base64-encoded, and once decoded reveals the next step in the infection chain:

The current contents of pitb.zapto[.]org/webdav/pitb is a file named “CIM and IT-Integration.pdf.url” (SHA256 hash: e3bc0246ab95b527aa86e52e62f554ab8db045
23f35aee50b508d0fa48ab49f7), which is actually an Internet Shortcut file that contains a URL to download a file:

The downloaded file, PITB-JR5124.exe (SHA256 hash: b53c7b13a4af47c3976bfad63fe9c5fd988dc
0807dd040e8d63d790b65394afb), is a legitimate executable that is used to sideload a DLL named profapi.dll. Cloudforce One identified several malicious DLL files located within the directory pitb.zapto[.]org/webdav/, details of which can be found below.

The above malware samples were all observed communicating with a Cloudflare Worker - pitb.gov-pkgov.workers[.]dev. Analysis of the code reveals that the Worker relays requests to the actual C2 domain used by the actor. In this instance the C2 is aljazeerak[.]online, which currently resolves to the Alibaba US Technology Co., Ltd-owned IP address 8.219.169[.]226.

Additional C2 infrastructure and traffic analysis

Pivoting on the domain pitb.zapto[.]org, which currently resolves to another Alibaba IP address 47.74.10[.]112, reveals this indicator presently and historically resolved to other likely actor-controlled domains, such as:

• sco.zapto[.]org

• mofapak[.]info

• confidential.zapto[.]org

• humariweb[.]info

• modp-pk[.]org

• itsupport-gov[.]com

Separately, Cloudforce One notes that the below is a list of domains used by SloppyLemming that leveraged Cloudflare reverse proxy services and have been mitigated:

• apl-org[.]online

• apl-com[.]icu

• maldevfudding[.]com

• navybd-gov[.]info

• 168-gov[.]info

• aljazeerak[.]online

• adobefileshare[.]com

• crec-bd[.]site

• quran-books[.]store

• hurr.zapto[.]org

• hascolgov[.]info

• helpdesk-lab[.]site

Based on Cloudforce One’s visibility into the actor’s C2 infrastructure, the below graphic details a sampling of C2 traffic from confirmed C2 domains between September 1st and September 6th of 2024.

While Pakistan, Bangladesh, and Sri Lanka are consistent with the actor’s target scope, the occurrence of a not-insignificant amount of likely C2 traffic from Australian IP addresses may indicate an expansion of the actor’s targeting. Observed IP addresses were geolocated within Canberra, the Australian capital, leaving open the possibility that the targeting may be government related.

SloppyLemming targeting and victimology

Broadly, Cloudforce One observes that the overwhelming majority of credential harvesting operations conducted by SloppyLemming predominantly focus on Pakistan, with the majority of targeted organizations falling within the following categories:

• Government

  • Law enforcement

  • Defense

  • Legislative organizations

  • Foreign Affairs

  • Transportation

  • Logistics

• Technology

  • IT providers

  • Telecommunications

• Energy

  • Construction

  • Equipment operators

• Education

  • Universities

Of particular interest, Cloudforce One has observed concerted efforts by SloppyLemming to target Pakistani police departments and other law enforcement organizations. Separately, there are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan’s sole nuclear power facility. Outside of Pakistan, SloppyLemming’s credential harvesting has focused primarily on Sri Lankan and Bangladeshi government and military organizations, and to a lesser extent, Chinese energy and academic sector entities.

Mitigating SloppyLemming activity

Upon discovery of SloppyLemming threat activity, Cloudforce One took a series of steps to disrupt the threat actor's operations. We developed, tested, and deployed new detections on the Cloudflare platform to identify and mitigate the actor’s activity. In total, we mitigated 13 Workers, and we also notified other cloud services that were leveraged in SloppyLemming operations.

A timeline of SloppyLemming’s activity and our corresponding mitigations can be found below.

Event timeline

Coordinating our SloppyLemming response

Cloudforce One leveraged industry relationships to provide advanced warning and to mitigate the actor’s activity. To provide further protection against this threat actor, Cloudforce One notified and collaborated with Github, Dropbox and Discord Threat Intelligence and Trust and Safety Teams. We also notified Cloudflare industry partners such as CrowdStrike, Mandiant/Google Threat Intelligence, and Microsoft Threat Intelligence.

Hunting SloppyLemming operations

There are several ways to hunt SloppyLemming in your environment. These include using PowerShell to hunt for WinRAR files, deploying Microsoft Sentinel analytics rules, and running Splunk scripts as detailed below. Note that these detections may identify activity related to this threat, but may also trigger unrelated threat activity.

PowerShell hunting

Consider running a PowerShell script such as this one in your environment to identify exploitation of CVE-2023-38831. This script will interrogate WinRAR files for evidence of the exploit.

Microsoft Sentinel

In Microsoft Sentinel, consider deploying the rule provided below, which identifies WinRAR execution via cmd.exe. Results generated by this rule may be indicative of attack activity on the endpoint and should be analyzed.

Splunk

Consider using this script in your Splunk environment to look for WinRAR CVE-2023-38831 execution on your Microsoft endpoints. Results generated by this script may be indicative of attack activity on the endpoint and should be analyzed.

Cloudflare product detections

Cloudflare Email Security

Cloudflare Email Security (CES) customers can identify SloppyLemming activity with the following detections.

• CVE-2023-38831

• SloppyLemming.Campaign.Police

Recommendations

Cloudflare recommends taking the following steps to mitigate this type of activity:

• Implement Zero Trust architecture foundations:

  • Deploy Cloud Email Security to ensure that email services are protected against phishing, BEC and other threats

• Ensure your systems have the latest WinRAR and Microsoft security updates installed

• Consider preventing WinRAR files from entering your environment, both at your Cloud Email Security solution and your Internet Traffic Gateway

• Run an Endpoint Detection and Response (EDR) tool such as CrowdStrike or Microsoft Defender for Endpoint to get visibility into binary execution on hosts

• Search your environment for the SloppyLemming indicators of compromise (IOCs) shown below to identify potential actor activity within your network

If you’re looking to uncover additional Threat Intelligence insights for your organization or need bespoke Threat Intelligence information for an incident, consider engaging with Cloudforce One by contacting your Customer Success manager or filling out this form.

Indicators of compromise

SloppyLemming infrastructure

SloppyLemming malware samples

Mitigated SloppyLemming Workers domains

• mail-na-gov-pk.na-gov-pk.workers[.]dev

• storage-e13.sharepoint-e13.workers[.]dev

• zoom.osutuga7.workers[.]dev

• sharepoint-punjab.sharepoint-e13.workers[.]dev

• pitb.gov-pkgov.workers[.]dev

• mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev

• herald-b2a.workers[.]dev

• images-11d.workers[.]dev

• classifieds.workers[.]dev

• dawnnews.workers[.]dev

• aurora.dawn-904.workers[.]dev

• epaper.dawn-323.workers[.]dev

• obituary.workers[.]dev

About Cloudforce One

Cloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that detect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political gain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with publishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions. We identify and defend against attacks with unique insight that no one else has.

The foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which encompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the Internet, giving us unparalleled visibility into global events – including the most interesting attacks on the Internet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the point of launch, and turn intelligence into tactical success.