SloppyLemming, a threat actor primarily targeting South and East Asian countries, has been using Cloudflare Workers for espionage activities since late 2022.
The actor, likely associated with OUTRIDER TIGER, displays poor operational security, allowing Cloudforce One to gain insights into its tooling.
It primarily targets Pakistani government, defense, telecommunications, technology, and energy sector organizations but also has interests in Bangladesh, Sri Lanka, Nepal, and China.
In order to carry out its attacks, the actor relies heavily on open-source adversary emulation frameworks such as Havoc and Cobalt Strike.
It targets email accounts for credential harvesting by using phishing emails with a fake update urgency to trick users into clicking a malicious link, which leads to a fake login page hosted on a Cloudflare Worker, created by their custom tool CloudPhish.
CloudPhish tailors the login page to resemble the target’s webmail and steals credentials upon login. If successful, the tool then leverages scripts to collect emails and potentially attachments from the compromised inbox.
The APT group SloppyLemming targets Pakistani users through phishing emails by using malicious Cloudflare Workers to redirect users to phishing sites disguised as legitimate government or corporate entities.
These sites attempt to steal Gmail OAuth tokens and credentials. In another campaign, clicking a link in a phishing email redirects users to a malicious site that downloads a RAR archive containing a decoy PDF and an executable disguised as another PDF.
The WinRAR vulnerability (CVE-2023-38831) allows the executable to be run, which in turn downloads a malicious DLL (NekroWire.dll) that acts as a RAT.
A threat actor known for credential harvesting, has expanded its targeting to include Australia, in addition to its traditional focus on Pakistan, Bangladesh, and Sri Lanka.
The actor’s infrastructure, hosted on Alibaba Cloud, has been observed resolving to various domains associated with the actor’s activities. Cloudforce One has identified numerous domains used by SloppyLemming, including those leveraging Cloudflare reverse proxy services.
The government, law enforcement, and defense agencies, along with other important organizations in the regions that are being targeted, are the primary targets of the actor.
To protect against attacks in the future, they suggest putting in place security measures such as Zero Trust architecture, Cloud Email Security, and EDR tools.
Additionally, users can hunt for SloppyLemming activity using PowerShell scripts, Microsoft Sentinel rules, or Splunk queries that look for WinRAR exploit execution.