Indian Threat Actors Target South And East Asian Entities

Recent reports have revealed that Indian threat actors are using multiple cloud service providers for malicious purposes. The hacker activities are mainly centered around facilitating credential harvesting, malware delivery, and command-and-control (C2). In this article, we’ll cover who the Indian threat actor is targeting and what the attack chain looks like. Let’s begin! 

Indian Threat Actors Uncovered 

Before we dive into details about the targets of the threat actor, it’s worth mentioning that its activities are being tracked by Cloudflare under the name SloppyLemming. Commenting on the Indian threat actors, Cloudflare has stated that: 

“Between late 2022 to present, SloppyLemming has routinely used Cloudflare Workers, likely as part of a broad espionage campaign targeting South and East Asian countries.”

Besides using Cloudflare workers, the Indian threat actor group has been involved in prior campaigns where malware, including Ares RAT and WarHawk, were leveraged. In addition, the online cybercrime group also has ties with other threat actors known as SideWinger and SideCopy, a threat actor group likely to be of Pakistani origins.

As far as the targets are concerned, SloppyLemming’s activities are target law enforcement, energy, education, telecommunications, technology, and government entities located in various countries that include: 

• China. 
• Nepal.
• Pakistan.
• Sri Lanka. 
• Indonesia.
• Bangladesh.

SloppyLemming Spear-Phishing Emails

As far as the attack chain is concerned, these Indian threat actors initiate the attack via spear-phishing emails that are sent to targets they wish to compromise. Within these emails is a malicious link and the recipients are manipulated into clicking by a fabricated and false sense of urgency.

The fundamental behind the urgency is that a targeted victim is made to believe that they must complete a mandatory process within 24 hours. Once a victim clicks on the malicious link, they’re taken to the credential harvesting page, which serves as a staging ground for the Indian threat actors to gain unauthorized access. 

Commenting on the method, Cloudflare stated that: 

“The actor uses a custom-built tool named CloudPhish to create a malicious Cloudflare Worker to handle the credential logging logic and exfiltration of victim credentials to the threat actor.”

Indian Hacker WinRAR Exploit

Apart from this, some attacks initiated by the Indian threat actors are also known for exploiting a WinRAR vulnerability tracked as CVE-2023-38831. It’s worth mentioning that a successful exploit of this vulnerability allows threat actors to have remote code execution capabilities. 

The RAR file sent to targeted victims is an executable file that not only contains a decoy document but also loads “CRYPTSP.dll.” This .dll file facilitates payload deployment by downloading a remote access trojan from a Dropbox. 

Impersonation Of Pakistani Legal Entities 

In addition, these Indian threat actors are known for impersonating the Punjab Information Technology Board (PITB) in Pakistan. 

As part of a different attack methodology, the Indian hackers lure victims to a phony website mimicking the Pakistani legal body mentioned above. The website facilitates infecting the compromised system with the payload. Once the payload is executed, it contacts a Cloudflare Worker. 

The Cloudflare Worker URL serves the purpose of an intermediary and relays requests to a C2 domain controlled by an adversary known as “aljazeerak[.]online.” Providing insights on the Pakistani entities being targeted, Cloudflare has stated that:  

“There are indications that the actor has targeted entities involved in the operation and maintenance of Pakistan’s sole nuclear power facility.”

Conclusion 

Indian threat actors, tracked as SloppyLemming, are targeting South and East Asian entities through spear-phishing, malware, and C2 domains. Their sophisticated methods, including exploiting WinRAR vulnerabilities and impersonating legal entities, showcase an alarming cyber espionage campaign focused on high-value sectors like energy and government systems.

Cyberthreats of such a nature indicate the necessity of implementing advanced cybersecurity measures that aid in reducing, or even eliminating, the exposure to risk and help achieve the extent of security now required. 

The sources for this piece include articles in The Hacker News and Ground News.

The post Indian Threat Actors Target South And East Asian Entities appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/indian-threat-actors-target-south-and-east-asian-entities/