On 18 November 2024, BlackBerry’s threat research team reported on a cyber espionage campaign targeting the Pakistan Navy. This campaign used malicious documents to collect credentials and distribute malware. While BlackBerry did not attribute this activity to a specific actor, subsequent analysis by DomainTools revealed significant overlaps in tactics, techniques, procedures (TTPs), and targeting scope with the cyber-espionage group known as SloppyLemming.

Review of BlackBerry Report

Recent activity from this campaign involved the deployment of a malicious PDF document in early September 2024. The document resembles an internal IT memo, instructing recipients on integrating Axigen Thunderbird for secure email communications. The document contained a link to a malicious website (paknavy.rf[.]gd) mimicking the legitimate Pakistan Navy domain.

Upon visiting the fraudulent site, users were prompted to download a ZIP file, “Axigen_Thunderbird.zip,” which included a malicious Thunderbird extension. Once installed, the extension requested credentials for “@paknavy.gov.pk” email addresses. Entered credentials were transmitted to an actor-controlled domain (updateschedulers[.]com), and the extension downloaded a malware payload hosted on the same domain. BlackBerry researchers identified the malware as a variant of Sync-Scheduler. Public reporting from March 2024 first identified this malware family and its use of  the domain packageupdates[.]net for command and control (C2). BlackBerry also identified related activity in the May/June 2024 time frame using the C2 domain extension.webmailmigration[.]com.

Further analysis by DomainTools uncovered an additional likely associated domain: diplomaticservices[.]link. Whois data from this domain shows a registrant organization of “National Telecom Corporation” likely referencing the Pakistani government’s telecommunications provider. The only other domain using this registrant organization since 2010 is the webmailmigration[.]com domain from the BlackBerry report. 

Overlap with SloppyLemming Actor 

In September 2024, Cloudflare’s threat research team reported on an India-nexus cyber espionage actor it dubbed SloppyLemming (aka OUTRIDER TIGER). This actor primarily targets Pakistan, with a focus on government and defense. SloppyLemming frequently leverages its custom CloudPhish credential logging tool on Cloudflare Worker domains to compromise email credentials from targeted individuals. One of the mail clients CloudPhish specifically targeted was Axigen, which was the mail client referenced in the malicious activity covered in the BlackBerry report. SloppyLemming also employed PDF documents for credential collection and malware delivery.

Data from the urlscan.io scanning service shows an Axigen webmail credential phishing page present on www.login.webmailmigration[.]com in April 2024. Similar Axigen phishing pages present on the following domains between February and July 2024:

• mail-pakchinainvest-com.niancao010.workers[.]dev
• webmail.cybar-net-pk.workers[.]dev
• mail.pof-gov-pk.workers[.]dev

These domains use a similar domain naming convention to that detailed in the SloppyLemming report.

‍

Figure 1. Screenshot of credential phishing pages present on www.login.webmailmigration[.]com in April 2024 (left) and mail.pof-gov-pk.workers[.]dev in August 2024 (right)

Additional similarities between the recent BlackBerry and Cloudflare’s reports include the actor’s use of malicious PDFs malware delivery and a Pakistan-centric target scope. 

Conclusion

It is likely that SloppyLemming is the actor responsible for the malicious activity described in BlackBerry’s recent report. This assessment is made with low confidence based on similar credential phishing and malware delivery TTPs, as well a Pakistan-focused target scope. However, it is plausible that the BlackBerry report discusses a separate actor from SloppyLemming that is employing similar TTPs.

IOCs

paknavy[.]rf[.]gd
updateschedulers[.]com
packageupdates[.]net
finance-gov-pk[.]rf[.]gd
extension[.]webmailmigration[.]com
diplomaticservices[.]link

Fake government job boards attempt to trick job seekers into providing personal information that may be used for fraud, phishing, or other malicious purposes. The bad actors behind these fake job boards cause harm by either soliciting an application fee from victims or by instructing them to download malicious files or deceiving victims into giving personal information such as resumes, historic addresses and contact information.

Multiple countries were identified as targeted by a high number of fake government job boards. For instance, many of the identified domains masquerading as US government job boards were reportedly associated with email campaigns. Those in Pakistan and India appear largely fraud related and employ WhatsApp and Telegram groups. Fake Taiwanese government job postings are suspected to be harvesting personal information for phishing and fraud.

Similarly, nation states such as North Korea also host fake job postings for phishing, and creating fake personas in attempts to be hired by and gain access to western tech companies.

Details

Fake US Government Job Websites

A cluster of domains that goes back to early as 2017 and associated mail servers have been used in email spam. The domain names masquerade as government job or contract bid sites. The domains are frequently configured to redirect to legitimate government job sites such as govcb[.]com and governmentcontracts[.]us likely for the purpose of appearing more legitimate upon inspection.

Example mail server:

• https://www.abuseipdb.com/check/44.215.207.48
• https://check.spamhaus.org/results/?query=govcb-bids-bulletin.us

‍

‍

Fake Taiwanese Government Job Websites

Spoofing as the legitimate taiwanjobs[.]gov[.]tw website for the purposes of phishing, information gathering, and credential harvesting. Taiwanjobs[.]gov[.]tw website reports the following message of ongoing phishing activity using fake look alike websites.

‍

‍

‍

Fake MELA Government Job Websites

Mela Network is the Middle Eastern arm of a global network spanning 46 countries. Their website states: “Mela's mission is to help executives in the MENA (Middle East and North Africa) region grow professionally and personally by exposing them to best practices in leadership and connecting them with a global network of peers.” [https://melanetwork.org/]

‍

‍

‍

Fake Indian Government Job Websites

‍

‍

‍

Fake Pakistan Government Job Websites

Fake Pakistan government job boards similar to those for Indian government job boards. WhatsApp channels and Telegram group links are displayed on pages. Many of these sites are suspected to be used for phishing and fraud. 

‍

‍

‍

Conclusion

Fake job boards are common around the world. They seek to take advantage of job seeker’s motivations in order to harvest personal information and may lead into additional fraud schemes, phishing, identity theft, and malware delivery.

Job seekers should conduct research on job postings before applying, recognize domain name masquerades and be wary of unsolicited job offers. Additionally, it's crucial to recognize red flags such as unexpected fees, high-pressure tactics, requests for sensitive personal information, and unknown personas offering special favors.

‍

IOCs

Ever think about the duality of fishing and hunting? Folks may argue fishing is a more passive endeavor. One sets a lure and waits. Hunting on the other hand, folks may argue, is a more active endeavor in which a hunter might generally be expected to seek out their intended target. 

Let’s put this in terms of cyber threats. Most humans by now have undoubtedly heard of cyber attacks and perhaps even had some experiences with phishing in its various forms be it over email, text, voice call or a discord channel. But, what about the threat hunters? Threat hunting proactively seeks out undetected threats, usually within an organization’s network. Investigating indicators in a threat report can identify suspicious domains, detect patterns, and correlate findings with other sources. 

With that said, thousands upon thousands of ill-intent domains are registered every day and some few fine folks set out the hounds and have a proper hunt. As one does, the trails are scoured and more indicators are found. But without further ado, this is one such quarry.

Opening Meet

This hunt got its start from a CloudFlare report on SloppyLemming. Also known as Outrider Tiger, SloppyLemming has reportedly been targeting Pakistani entities among others in Southeast Asia since late 2022. A range of domains have been utilized to lure victims into credential harvesting sites and deliver malware.

Frequent Domain Registration Patterns

• Use of CloudFlare services
• 90 day SSL Certificates
• Trends in domain naming convention 
• Frequently assessed with risk scores of 100 by DomainTools

There’s the scent and the hunt begins. Sifting through domain registrations, DNS records, web scan data and the like, the lines form.

Hunting For Associated Indicators:

SloppyLemming domain `aljazeerak[.]online`

Website Title `Pakistan International Airlines - PIA | Great People to Fly With`
-> Unreported domain `fly-pakistan[.]com`

Historic Screenshot of domain aljazeerak[.]online masquerading as a Pakistani Airline

SloppyLemming domain `itsupport-gov[.]com`

whois email `abdulrehm8282[@]gmail[.]com`

-> Unreported domain `itsupport-gov[.]net`

- SSL temok[.]com + MX eye-mail[.]net + Registrar NameSilo 

- Has Google Code `G-5XJE64N2SQ`

SloppyLemming domains `cflayerprotection[.]com, cloudlflares[.]com`

Whois Email `cht8p9zpl5[@]domprivacy[.]de`

-> Unreported domains

mfaturk[.]com

firebasebackups[.]com

cloudproxyserv[.]com

Historic Screenshot of domain paknavy-pk[.]org

Hunting CloudFlare Worker With SubDomain Name Masquaredes in DNS Records

Next, we search for CloudFlare Workers[.]dev subdomains with navy or gov and pk or lk naming elements using DNSDB Scout

;; query: Regex RRNames (navy|gov)-(pk|lk).+workers\.dev\.$ ANY (Limit 5000) // Last After: 2024-09-26 00:00:00 (UTC)

Sample:

```

anfbalochistan-gov-pk.workers[.]dev
clickonce.pakistan-gov-pk.workers[.]dev
cpanel-nha-gov-pk.pakistan-gov-pk.workers[.]dev
discordoutput.pakistan-gov-pk.workers[.]dev
email-moitt-gov-pk.pakistan-gov-pk.workers[.]dev
fbr-gov-pk-auth.workers[.]dev
gda-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
gov-pk.workers[.]dev
gov-pkgov.workers[.]dev
gwadarport-gov-pk.gwadarportt.workers[.]dev
helpdesk-police-gov-pk.aabhimulla446.workers[.]dev
instagram-com.pakistan-gov-pk.workers[.]dev
ispr-gov-pk.workers[.]dev
kpt-gov-pk.workers[.]dev
maif-piac-aero.gov-pkgov.workers[.]dev
mail-asian-parliament-org.pakistan-gov-pk.workers[.]dev
mail-communication-gov-pk.pakistan-gov-pk.workers[.]dev
mail-depo-gov-pk.govtpak.workers[.]dev
mail-depo-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-dgdp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecac-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ecp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-ecp-gov-pk.pakistan-gov-pk.workers[.]dev
mail-fbr.gov-pk.workers[.]dev
mail-gwadarport-gov-pk.kr-i-sas-orv-e-l-a.workers[.]dev
mail-gwadarport-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-hit-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-invest-gov-pk.gwadarportt.workers[.]dev
mail-islamabadpolice-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-kpt-gov-pk.gob-pk.workers[.]dev
mail-kpt-gov-pk.niancao010.workers[.]dev
mail-kpt-gov-pk.pak-gov-pk.workers[.]dev
mail-mod-gov-pk.pakistan-gov-pk.workers[.]dev
mail-modp.gov-pkgov.workers[.]dev
mail-modp-gov-pk.govtpak.workers[.]dev
mail-modp-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-modp-gov-pk.pak-gov-pk.workers[.]dev
mail-mofa-gov-pk.pakistan-gov-pk.workers[.]dev
mail-na-gov-pk.na-gov-pk.workers[.]dev
mail-nba-gov-pk.pakistan-gov-pk.workers[.]dev
mail-ntc-net-pk.gov-pkgov.workers[.]dev
mail-paf-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-paknavy.gov-pk.workers[.]dev
mail-pc-gov-pk-login.ethanhunthero125.workers[.]dev
mail-pof-gov-pk.govtpak.workers[.]dev
mail-ppra-org-pk.pakistan-gov-pk.workers[.]dev
mail-punjab-gov-pk.ntc-telecomcorporation.workers[.]dev
mail-punjab-gov-pk.ntc-telecommunication-safecity.workers[.]dev
mail-punjab-gov-pk.punjab-info-tech-board.workers[.]dev
mail-sco-gov-pk.mil-bd.workers[.]dev
mail-sco-gov-pk.ntc-telecomcorporation.workers[.]dev
meharusman524gov-pk.workers[.]dev
meharusman524gov-pk4230.workers[.]dev
na-gov-pk.workers[.]dev
na-gov-pk-bfd.workers[.]dev
navy-lk.workers[.]dev
nha-gov-pk.pakistan-gov-pk.workers[.]dev
old-violet-aae5.meharusman524gov-pk4230.workers[.]dev
pak-gov-pk.workers[.]dev
pakistan-gov-pk.workers[.]dev
paknavy-gov-pk.workers[.]dev
pitb.gov-pkgov.workers[.]dev
pitb-gov-pk.workers[.]dev
pmo-gov-pk-auth.workers[.]dev
pof-gov-pk.workers[.]dev
pythonscanner.gov-pkgov.workers[.]dev
reports-ecp-gov-pk.mlc-landdistribution.workers[.]dev
throbbing-sun-f4e8.meharusman524gov-pk4230.workers[.]dev
wapda-gov-pk.workers[.]dev
webmail.wapda-gov-pk.workers[.]dev
webmail-gda-gov-pk.gwadarportt.workers[.]dev
webmail-wapda-gov-pk.pakistan-gov-pk.workers[.]dev
worker-cool-credit-6d6f.navy-lk.workers[.]dev
worker-dark-paper-2231.gov-pkgov.workers[.]dev
worker-patient-wave-96d1.pakistan-gov-pk.workers[.]dev
worker-plain-wind-01a9.pakistan-gov-pk.workers[.]dev
worker-silent-pond-c90d.pakistan-gov-pk.workers[.]dev

```

• Site content of domain `pythonscanner.gov-pkgov.workers[.]dev`

Hunting for Domain Masquerades in Whois and Web Scans

Hunting for Pakistani domain masquerades using cloudflare. The nature of these broader hunts are apt to uncover unintended prey. In this case, the stumbling on a mix of Pakistani travel and government job boards, and Crypto exchange masquerades.

```

govtjobspak[.]live
pakkjob[.]com
pakgovtsjobs[.]com
gov-declare[.]help
karakfinance[.]cfd
fi-ton[.]org

```

```

search:query=CoinTelegraphLegal.pdf&crumb=location:\\45.82.13[.]15@80\Downloads\&displayname=Downloads

```

Conclusion

Hunting for undetected threats can take on many forms. Prompted by threat reports and intelligence, threat hunters may cast a wider net to seek out undetected indicators, detect patterns, and correlate findings with other sources of information. That said, wider nets can catch more than the intended quarry. In this case, finding an ecosystem of websites impersonating as Pakistani airlines, government job boards, as well as remnants of malicious domains and scanners on Pakistani government domains. While it may not all be SloppyLemming activity, it highlights an apparent wider spread targeting of Pakistan.

References

https://www.cloudflare.com/threat-intelligence/research/report/unraveling-sloppylemmings-operations-across-south-asia/

Since 1 August 2024, a likely India-nexus targeted intrusion actor has targeted entities in China and South Asia using credential phishing pages mimicking legitimate webmail login portals. Domain naming conventions as well as observed phishing pages reveal likely targeting of entities in the government and defense sectors. Observed tactics, techniques, and procedures and target scope are consistent with public reporting on Indian targeted intrusion actors.  

Details

Identified domains share the following similarities:

• Registration via 1api registrar service
• Use of Royalhost nameservers
• Resolving to the IP address 65.21.85[.]206
• Domain naming convention using webmail login or file download themes often combined with references to specific, likely targeted entities

The 65.21.85[.]206 IP address is a shared host resolving numerous domains likely unrelated to the India-nexus targeted intrusion activity. However, historical data from this host indicates the India-nexus actor has used 65.21.85[.]206 since at least April 2024 to host phishing domains.  

Figure 1. Example Credential Phishing Page from nepal-mofa[.]com

Analysis of this activity also shows one of the actor-registered domains (never-giveup.mail-downloadfiles[.]com) redirecting to a credential phishing page hosted on the cloud service Netlify (large-files-d0wnl0ad-session-expired.netlify[.]app). These domains are likely being used to target Chinese entities.

Figure 2. Chinese-language Credential Phishing Page Hosted on Netlify

IOCs

Conclusion

This activity is consistent with targeted intrusion activity identified in previous public reporting. Naming conventions are generally consistent with activity from the group known as Sidewinder with domains spoofing webmail login portals and the targeting of entities in China and South Asia. The India-nexus targeted intrusion group known as Patchwork also historically exhibited a similar target scope. 

In a recent article from KrebsonSecurity, they detail that at least a dozen organizations with domain names at domain registrar Squarespace saw their websites hijacked last week. Squarespace bought all assets of Google Domains a year ago, but many customers still haven’t set up their new accounts. Experts say malicious hackers learned they could commandeer any migrated Squarespace accounts that hadn’t yet been registered, merely by supplying an email address tied to an existing domain.

Read the research: https://krebsonsecurity.com/2024/07/researchers-weak-security-defaults-enabled-squarespace-domains-hijacks/

In this 15th edition, M-Trends provides an inside look at the evolving cyber threat landscape, with data drawn directly from frontline incident response investigations and threat intelligence findings of high-impact attacks and remediations around the globe.

• The latest incident response metrics including dwell times, detection sources, initial infection vectors, and so much more
• China-nexus attackers increasingly targeting edge devices and platforms that lack EDR
• Trending adversary operations and motivations behind zero day attacks
• The evolution of phishing techniques amidst modern security controls
• How attackers are leveraging AiTM to compromise multi-factor authentication safeguards
• The reasons and solutions behind growing cloud and hybrid cloud environment intrusions
• How AI is effectively used in red and purple team operations to help boost cyber defenses

Read Anton Chavakin's take on the report: https://medium.com/anton-on-security/reading-the-mandiant-m-trends-2024-acb3208add80

Another year has passed and that means another Verizon DBIR. For those that don’t want to read the full DBIR, here was our perspective from the Internet intelligence side of cybersecurity:

• Median time for users to fall for phishing emails is 49 seconds
• Pretexting is a more likely social action than Phishing
• Ransomware was a top threat across 92% of industries (less representative than last year - median ratio of initially requested ransom and company revenue was only 1.34%)
• The human element was a component of 68% of breaches

What do these threats all have in common? DNS!

https://www.verizon.com/business/resources/reports/dbir

The Resurgence of the “Manipulaters” Team - Breaking HeartSenders

In January 2024, The Manipulaters pleaded with Brian Krebs to unpublish previous stories about their work, claiming the group had turned over a new leaf and gone legitimate. But new research suggests that while they have improved the quality of their products and services, these nitwits still fail spectacularly at hiding their illegal activities.

https://krebsonsecurity.com/2024/04/the-manipulaters-improve-phishing-still-fail-at-opsec