Pulse Detail — Threat Intelligence

PULSE NAME

Unraveling SloppyLemming’s Operations Across South Asia

WHITE SloppyLemming AlienVault 2024-09-27 Modified: 2024-10-27

IOCs

HIGH VOLUME

An investigation reveals SloppyLemming, an advanced threat actor targeting South and East Asian countries, particularly Pakistan. The group uses multiple cloud services for credential harvesting, malware delivery, and command and control. Their operations focus on government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Bangladesh, Sri Lanka, and China. SloppyLemming employs phishing tactics, exploits vulnerabilities, and utilizes various malware tools. The actor's lack of operational security has provided insights into their tooling and infrastructure. Cloudflare has taken steps to disrupt the actor's operations and collaborated with industry partners to mitigate the threat.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1071 T1140 T1219 T1036 T1055 T1218 T1090 T1059 T1584 T1586 T1102 T1204 T1547.001 T1566 T1027 T1573 T1132 T1585 T1189

MALWARE FAMILIES

Cobalt Strike - S0154 Havoc NekroWire

Indicators of Compromise (72)

All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
CVE	CVE-2023-38831	—	2024-09-27
FileHash-MD5	659ab8cb034e557fce0c3ecd631f3590	—	2024-09-27
FileHash-MD5	e2a32e7d772a9a4eeccee9c71ec3a6d4	—	2024-09-27
FileHash-MD5	fa40357daaa8ed8e73eeef25f0f478ac	—	2024-09-27
FileHash-SHA1	9b45b35d577680022e20d20dc7052463398ccf36	—	2024-09-27
FileHash-SHA1	b53de85852479ea2a772bd3407b9e4d38eb1e1e7	—	2024-09-27
FileHash-SHA1	bc490c61ce87efc0faf93dd4160219ef303e3e1d	—	2024-09-27
FileHash-SHA256	06f82a8d80ec911498e3493ebefa8ad45e102dd887ce2edc11f8f51bafab2e80	—	2024-09-27
FileHash-SHA256	3dfb8d198de95090e2ad3ffc9d9846af5c3074563acb0ce5b0ef62b20e4bf432	—	2024-09-27
FileHash-SHA256	82e99ceea9e6d31555b0f2bf637318fd97e5609e3d4d1341aec39db2e26cf211	—	2024-09-27
FileHash-SHA256	95cf90b2610c6f0ec67c1d669cd252468f6c3b8eaeea588f342d2bd74d90e093	—	2024-09-27
FileHash-SHA256	a3c9b56a0ce787d7aa7787d9ff0e806a6fb0b216327591b1e1113391c609fd17	—	2024-09-27
FileHash-SHA256	ac3dff91982709f575cfbc6954b61130b4eeab5d3759772db220f1b76836be4d	—	2024-09-27
FileHash-SHA256	b6ae5b714f18ca40a111498d0991e1e30cd95317b4904d2ef0d49937f0552000	—	2024-09-27
FileHash-SHA256	e3bc0246ab95b527aa86e52e62f554ab8db04523f35aee50b508d0fa48ab49f7	—	2024-09-27
FileHash-SHA256	fb4397c837c7e401712764f953723153d5bb462bc944518959288ea47dec6446	—	2024-09-27
domain	cflayerprotection.com	—	2024-09-27
domain	cloudlflares.com	—	2024-09-27
domain	crec-bd.site	—	2024-09-27
domain	email.click	—	2024-09-27
domain	hit-pk.org	—	2024-09-27
domain	humariweb.info	—	2024-09-27
domain	itsupport-gov.com	—	2024-09-27
domain	jammycanonicalupdates.cloud	—	2024-09-27
domain	link.click	—	2024-09-27
domain	modp-pk.org	—	2024-09-27
domain	mofapak.info	—	2024-09-27
domain	opensecurity-legacy.com	—	2024-09-27
domain	paknavy-pk.org	—	2024-09-27
domain	quran-books.store	—	2024-09-27
domain	updpcn.online	—	2024-09-27
hostname	accounts.opensecurity-legacy.com	—	2024-09-27
hostname	acrobat.paknavy-pk.org	—	2024-09-27
hostname	api.opensecurity-legacy.com	—	2024-09-27
hostname	bin.opensecurity-legacy.com	—	2024-09-27
hostname	blabla.apl-com.icu	—	2024-09-27
hostname	browser.apl-org.online	—	2024-09-27
hostname	cloud.adobefileshare.com	—	2024-09-27
hostname	cloud.cflayerprotection.com	—	2024-09-27
hostname	confidential.zapto.org	—	2024-09-27
hostname	data.cloudlflares.com	—	2024-09-27
hostname	dawn.apl-org.online	—	2024-09-27
hostname	docs.apl-com.icu	—	2024-09-27
hostname	fonts.apl-org.online	—	2024-09-27
hostname	frontend-m.opensecurity-legacy.com	—	2024-09-27
hostname	hesco.hascolgov.info	—	2024-09-27
hostname	hurr.zapto.org	—	2024-09-27
hostname	locaal.navybd-gov.info	—	2024-09-27
hostname	localhost.apl-com.icu	—	2024-09-27
hostname	locall.hascolgov.info	—	2024-09-27
hostname	login.apl-org.online	—	2024-09-27
hostname	m.opensecurity-legacy.com	—	2024-09-27
hostname	mail.apl-com.icu	—	2024-09-27
hostname	mail.pakistangov.com	—	2024-09-27
hostname	mailpitb-securedocs.zapto.org	—	2024-09-27
hostname	monitor.opensecurity-legacy.com	—	2024-09-27
hostname	oil.hascolgov.info	—	2024-09-27
hostname	openkm.paknavy-pk.org	—	2024-09-27
hostname	owa-spamcheck.apl-org.online	—	2024-09-27
hostname	pitb.zapto.org	—	2024-09-27
hostname	redzone.apl-org.online	—	2024-09-27
hostname	redzone2.apl-org.online	—	2024-09-27
hostname	sco.zapto.org	—	2024-09-27
hostname	secure.cflayerprotection.com	—	2024-09-27
hostname	secure.cloudlflares.com	—	2024-09-27
hostname	sensors.opensecurity-legacy.com	—	2024-09-27
hostname	static.opensecurity-legacy.com	—	2024-09-27
hostname	update.apl-org.online	—	2024-09-27
hostname	www.168-gov.info	—	2024-09-27
hostname	www.cloudlflares.com	—	2024-09-27
hostname	www.crec-bd.site	—	2024-09-27
hostname	zero-berlin-covenant.apl-org.online	—	2024-09-27

References (1)

↗ https://blog.cloudflare.com/unraveling-sloppylemming-operations/