Friend
Professional
- Messages
- 2,653
- Reaction score
- 852
- Points
- 113
Specialists from Cloudflare have uncovered the tactics of elusive hackers.
Web infrastructure and security experts from Cloudflare have identified the activity of an advanced group of hackers associated with India, called SloppyLemming (also known as Outrider Tiger and Fishing Elephant). This group uses the services of cloud providers to collect account data, distribute malware, and manage attacks.
Since the end of 2022, SloppyLemming has regularly used Cloudflare Workers to conduct cyberespionage aimed at South and East Asia. The group is known to have been operating since at least July 2021, having previously used the Ares RAT and WarHawk malware. The latter is associated with the well-known hacking group SideWinder, while the Ares RAT is associated with the SideCopy threat, which is likely of Pakistani origin.
The targets of SloppyLemming attacks are government agencies, law enforcement agencies, energy and technology companies, as well as educational and telecommunications organizations in Pakistan, Sri Lanka, Bangladesh, China, Nepal and Indonesia. The main attack method is phishing emails that encourage victims to click on a malicious link, supposedly to perform a mandatory action within 24 hours.
Clicking on the link leads to a page designed to steal credentials, after which the attackers gain unauthorized access to corporate email. To carry out this attack, SloppyLemming uses the CloudPhish tool, which creates malicious Cloudflare Workers and intercepts account data.
There have also been cases where hackers have exploited a vulnerability in WinRAR (CVE-2023-38831) to remotely execute code by sending infected RAR archives masquerading as files from the CamScanner scanning application. Inside the archive is an executable file that downloads the Trojan from Dropbox.
Previously, in a similar SideCopy campaign, the hackers distributed the Ares RAT using ZIP archives called «DocScanner_AUG_2023.zip and «DocScanner-Oct.zip.' The target of the attack then was the Indian government and defense departments.
A third method of infection from SloppyLemming involves redirecting victims to a fake site that mimics the official resource of the Punjab Information Technology Board in Pakistan. Users are then redirected to another site, where they download a malicious shortcut that leads to the «PITB-JR5124.exe executable". This file triggers the download of a malicious DLL that contacts Cloudflare Workers to transmit data to the attackers.
According to Cloudflare, hackers from SloppyLemming are actively attacking the police and other law enforcement agencies in Pakistan, as well as organizations associated with the operation of the country's only nuclear power plant. In addition, among the group's targets are the military and government institutions of Sri Lanka and Bangladesh, as well as Chinese companies in the energy and education sectors.
Source
Web infrastructure and security experts from Cloudflare have identified the activity of an advanced group of hackers associated with India, called SloppyLemming (also known as Outrider Tiger and Fishing Elephant). This group uses the services of cloud providers to collect account data, distribute malware, and manage attacks.
Since the end of 2022, SloppyLemming has regularly used Cloudflare Workers to conduct cyberespionage aimed at South and East Asia. The group is known to have been operating since at least July 2021, having previously used the Ares RAT and WarHawk malware. The latter is associated with the well-known hacking group SideWinder, while the Ares RAT is associated with the SideCopy threat, which is likely of Pakistani origin.
The targets of SloppyLemming attacks are government agencies, law enforcement agencies, energy and technology companies, as well as educational and telecommunications organizations in Pakistan, Sri Lanka, Bangladesh, China, Nepal and Indonesia. The main attack method is phishing emails that encourage victims to click on a malicious link, supposedly to perform a mandatory action within 24 hours.
Clicking on the link leads to a page designed to steal credentials, after which the attackers gain unauthorized access to corporate email. To carry out this attack, SloppyLemming uses the CloudPhish tool, which creates malicious Cloudflare Workers and intercepts account data.
There have also been cases where hackers have exploited a vulnerability in WinRAR (CVE-2023-38831) to remotely execute code by sending infected RAR archives masquerading as files from the CamScanner scanning application. Inside the archive is an executable file that downloads the Trojan from Dropbox.
Previously, in a similar SideCopy campaign, the hackers distributed the Ares RAT using ZIP archives called «DocScanner_AUG_2023.zip and «DocScanner-Oct.zip.' The target of the attack then was the Indian government and defense departments.
A third method of infection from SloppyLemming involves redirecting victims to a fake site that mimics the official resource of the Punjab Information Technology Board in Pakistan. Users are then redirected to another site, where they download a malicious shortcut that leads to the «PITB-JR5124.exe executable". This file triggers the download of a malicious DLL that contacts Cloudflare Workers to transmit data to the attackers.
According to Cloudflare, hackers from SloppyLemming are actively attacking the police and other law enforcement agencies in Pakistan, as well as organizations associated with the operation of the country's only nuclear power plant. In addition, among the group's targets are the military and government institutions of Sri Lanka and Bangladesh, as well as Chinese companies in the energy and education sectors.
Source
