Ever think about the duality of fishing and hunting? Folks may argue fishing is a more passive endeavor. One sets a lure and waits. Hunting on the other hand, folks may argue, is a more active endeavor in which a hunter might generally be expected to seek out their intended target. 

Let’s put this in terms of cyber threats. Most humans by now have undoubtedly heard of cyber attacks and perhaps even had some experiences with phishing in its various forms be it over email, text, voice call or a discord channel. But, what about the threat hunters? Threat hunting proactively seeks out undetected threats, usually within an organization’s network. Investigating indicators in a threat report can identify suspicious domains, detect patterns, and correlate findings with other sources. 

With that said, thousands upon thousands of ill-intent domains are registered every day and some few fine folks set out the hounds and have a proper hunt. As one does, the trails are scoured and more indicators are found. But without further ado, this is one such quarry.

Opening Meet

This hunt got its start from a CloudFlare report on SloppyLemming. Also known as Outrider Tiger, SloppyLemming has reportedly been targeting Pakistani entities among others in Southeast Asia since late 2022. A range of domains have been utilized to lure victims into credential harvesting sites and deliver malware.

Frequent Domain Registration Patterns

• Use of CloudFlare services
• 90 day SSL Certificates
• Trends in domain naming convention 
• Frequently assessed with risk scores of 100 by DomainTools

There’s the scent and the hunt begins. Sifting through domain registrations, DNS records, web scan data and the like, the lines form.

Hunting For Associated Indicators:

SloppyLemming domain `aljazeerak[.]online`

Website Title `Pakistan International Airlines - PIA | Great People to Fly With`
-> Unreported domain `fly-pakistan[.]com`

Historic Screenshot of domain aljazeerak[.]online masquerading as a Pakistani Airline

SloppyLemming domain `itsupport-gov[.]com`

whois email `abdulrehm8282[@]gmail[.]com`

-> Unreported domain `itsupport-gov[.]net`

- SSL temok[.]com + MX eye-mail[.]net + Registrar NameSilo 

- Has Google Code `G-5XJE64N2SQ`

SloppyLemming domains `cflayerprotection[.]com, cloudlflares[.]com`

Whois Email `cht8p9zpl5[@]domprivacy[.]de`

-> Unreported domains

mfaturk[.]com

firebasebackups[.]com

cloudproxyserv[.]com

Historic Screenshot of domain paknavy-pk[.]org

Hunting CloudFlare Worker With SubDomain Name Masquaredes in DNS Records

Next, we search for CloudFlare Workers[.]dev subdomains with navy or gov and pk or lk naming elements using DNSDB Scout

;; query: Regex RRNames (navy|gov)-(pk|lk).+workers\.dev\.$ ANY (Limit 5000) // Last After: 2024-09-26 00:00:00 (UTC)

Sample:

```

anfbalochistan-gov-pk.workers[.]dev
clickonce.pakistan-gov-pk.workers[.]dev
cpanel-nha-gov-pk.pakistan-gov-pk.workers[.]dev
discordoutput.pakistan-gov-pk.workers[.]dev
email-moitt-gov-pk.pakistan-gov-pk.workers[.]dev
fbr-gov-pk-auth.workers[.]dev
gda-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
gov-pk.workers[.]dev
gov-pkgov.workers[.]dev
gwadarport-gov-pk.gwadarportt.workers[.]dev
helpdesk-police-gov-pk.aabhimulla446.workers[.]dev
instagram-com.pakistan-gov-pk.workers[.]dev
ispr-gov-pk.workers[.]dev
kpt-gov-pk.workers[.]dev
maif-piac-aero.gov-pkgov.workers[.]dev
mail-asian-parliament-org.pakistan-gov-pk.workers[.]dev
mail-communication-gov-pk.pakistan-gov-pk.workers[.]dev
mail-depo-gov-pk.govtpak.workers[.]dev
mail-depo-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-dgdp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecac-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ecp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecp-gov-pk.pakistan-gov-pk.workers[.]dev
mail-fbr.gov-pk.workers[.]dev
mail-gwadarport-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
mail-gwadarport-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-hit-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-invest-gov-pk.gwadarportt.workers[.]dev
mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-kpt-gov-pk.gob-pk.workers[.]dev
mail-kpt-gov-pk.niancao010.workers[.]dev
mail-kpt-gov-pk.pak-gov-pk.workers[.]dev
mail-mod-gov-pk.pakistan-gov-pk.workers[.]dev
mail-modp.gov-pkgov.workers[.]dev
mail-modp-gov-pk.govtpak.workers[.]dev
mail-modp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-modp-gov-pk.pak-gov-pk.workers[.]dev
mail-mofa-gov-pk.pakistan-gov-pk.workers[.]dev
mail-na-gov-pk.na-gov-pk.workers[.]dev
mail-nba-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ntc-net-pk.gov-pkgov.workers[.]dev
mail-paf-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-paknavy.gov-pk.workers[.]dev
mail-pc-gov-pk-login.ethanhunthero125.workers[.]dev
mail-pof-gov-pk.govtpak.workers[.]dev
mail-ppra-org-pk.pakistan-gov-pk.workers[.]dev
mail-punjab-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-punjab-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-punjab-gov-pk.punjab-info-tech-board.workers[.]dev
mail-sco-gov-pk.mil-bd.workers[.]dev
mail-sco-gov-pk.ntc-telecomcorporation.workers[.]dev
meharusman524gov-pk.workers[.]dev
meharusman524gov-pk4230.workers[.]dev
na-gov-pk.workers[.]dev
na-gov-pk-bfd.workers[.]dev
navy-lk.workers[.]dev
nha-gov-pk.pakistan-gov-pk.workers[.]dev
old-violet-aae5.meharusman524gov-pk4230.workers[.]dev
pak-gov-pk.workers[.]dev
pakistan-gov-pk.workers[.]dev
paknavy-gov-pk.workers[.]dev
pitb.gov-pkgov.workers[.]dev
pitb-gov-pk.workers[.]dev
pmo-gov-pk-auth.workers[.]dev
pof-gov-pk.workers[.]dev
pythonscanner.gov-pkgov.workers[.]dev
reports-ecp-gov-pk.mlc-landdistribution.workers[.]dev
throbbing-sun-f4e8.meharusman524gov-pk4230.workers[.]dev
wapda-gov-pk.workers[.]dev
webmail.wapda-gov-pk.workers[.]dev
webmail-gda-gov-pk.gwadarportt.workers[.]dev
webmail-wapda-gov-pk.pakistan-gov-pk.workers[.]dev
worker-cool-credit-6d6f.navy-lk.workers[.]dev
worker-dark-paper-2231.gov-pkgov.workers[.]dev
worker-patient-wave-96d1.pakistan-gov-pk.workers[.]dev
worker-plain-wind-01a9.pakistan-gov-pk.workers[.]dev
worker-silent-pond-c90d.pakistan-gov-pk.workers[.]dev

```

• Site content of domain `pythonscanner.gov-pkgov.workers[.]dev`

Hunting for Domain Masquerades in Whois and Web Scans

Hunting for Pakistani domain masquerades using cloudflare. The nature of these broader hunts are apt to uncover unintended prey. In this case, the stumbling on a mix of Pakistani travel and government job boards, and Crypto exchange masquerades.

```

govtjobspak[.]live
pakkjob[.]com
pakgovtsjobs[.]com
gov-declare[.]help
karakfinance[.]cfd
fi-ton[.]org

```

```

search:query=CoinTelegraphLegal.pdf&crumb=location:\\45.82.13[.]15@80\Downloads\&displayname=Downloads

```

Conclusion

Hunting for undetected threats can take on many forms. Prompted by threat reports and intelligence, threat hunters may cast a wider net to seek out undetected indicators, detect patterns, and correlate findings with other sources of information. That said, wider nets can catch more than the intended quarry. In this case, finding an ecosystem of websites impersonating as Pakistani airlines, government job boards, as well as remnants of malicious domains and scanners on Pakistani government domains. While it may not all be SloppyLemming activity, it highlights an apparent wider spread targeting of Pakistan.

References

https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/

Since 1 August 2024, a likely India-nexus targeted intrusion actor has targeted entities in China and South Asia using credential phishing pages mimicking legitimate webmail login portals. Domain naming conventions as well as observed phishing pages reveal likely targeting of entities in the government and defense sectors. Observed tactics, techniques, and procedures and target scope are consistent with public reporting on Indian targeted intrusion actors.  

Details

Identified domains share the following similarities:

• Registration via 1api registrar service
• Use of Royalhost nameservers
• Resolving to the IP address 65.21.85[.]206
• Domain naming convention using webmail login or file download themes often combined with references to specific, likely targeted entities

The 65.21.85[.]206 IP address is a shared host resolving numerous domains likely unrelated to the India-nexus targeted intrusion activity. However, historical data from this host indicates the India-nexus actor has used 65.21.85[.]206 since at least April 2024 to host phishing domains.  

Figure 1. Example Credential Phishing Page from nepal-mofa[.]com

Analysis of this activity also shows one of the actor-registered domains (never-giveup.mail-downloadfiles[.]com) redirecting to a credential phishing page hosted on the cloud service Netlify (large-files-d0wnl0ad-session-expired.netlify[.]app). These domains are likely being used to target Chinese entities.

Figure 2. Chinese-language Credential Phishing Page Hosted on Netlify

IOCs

Conclusion

This activity is consistent with targeted intrusion activity identified in previous public reporting. Naming conventions are generally consistent with activity from the group known as Sidewinder with domains spoofing webmail login portals and the targeting of entities in China and South Asia. The India-nexus targeted intrusion group known as Patchwork also historically exhibited a similar target scope. 

In a recent article from KrebsonSecurity, they detail that at least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Read the research: https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

In this 15th edition, M-Trends provides an inside look at the evolving cyber threat landscape, with data drawn directly from frontline incident response investigations and threat intelligence findings of high-impact attacks and remediations around the globe.

• The latest incident response metrics including dwell times, detection sources, initial infection vectors, and so much more
• China-nexus attackers increasingly targeting edge devices and platforms that lack EDR
• Trending adversary operations and motivations behind zero day attacks
• The evolution of phishing techniques amidst modern security controls
• How attackers are leveraging AiTM to compromise multi-factor authentication safeguards
• The reasons and solutions behind growing cloud and hybrid cloud environment intrusions
• How AI is effectively used in red and purple team operations to help boost cyber defenses

Read Anton Chavakin's take on the report: https://medium.com/anton-on-security/reading-the-mandiant-m-trends-2024-acb3208add80

Another year has passed and that means another Verizon DBIR. For those that don’t want to read the full DBIR, here was our perspective from the Internet intelligence side of cybersecurity:

• Median time for users to fall for phishing emails is 49 seconds
• Pretexting is a more likely social action than Phishing
• Ransomware was a top threat across 92% of industries (less representative than last year - median ratio of initially requested ransom and company revenue was only 1.34%)
• The human element was a component of 68% of breaches

What do these threats all have in common? DNS!

https://www.verizon.com/business/resources/reports/dbir

The Resurgence of the “Manipulaters” Team - Breaking HeartSenders

In January 2024, The Manipulaters pleaded with Brian Krebs to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec