Pierluigi Paganini March 27, 2019

The NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign tracked as
LUCKY ELEPHANT targeting mostly South Asian governments.

Security experts at NETSCOUT Threat Intelligence team uncovered a credential harvesting campaign, tracked as LUCKY ELEPHANT, targeting mostly South Asian governments.

The campaign was discovered in early March 2019, threat actors behind the LUCKY ELEPHANT campaign use doppelganger webpages to mimic legitimate entities such as foreign governments, telecommunications, and military.

The attacks started at least since February 2019, the hackers attempted to trick victims into providing login credentials.  The attackers registered the doppelgangers with various top-level domains (TLD), especially those that protect registrant anonymity. 

According to the experts, threat actors carried out a phishing campaign to lure victims to the websites and provide their credentials, at the time of writing the researchers did not detect any malware associated with
LUCKY ELEPHANT campaign.

The list of the organizations mimicked by hackers includes entities in Pakistan, Bangladesh, Sri Lankan, Maldives, Myanmar, and Nepal.

According to the ASERT, the LUCKY ELEPHANT campaign was carried out by an Indian APT group.  

“The targets are typical of known Indian APT activity and the infrastructure was previously used by an Indian APT group.  Phishing and credential theft are commonly observed with Indian targeting in-region.” continues the analysis.

“One of the IP addresses, 128.127.105[.]13, was previously used by the DoNot Team (aka APT-C-35), a suspected Indian APT group.  DoNot Team has a history of heavily targeting Pakistan, in addition to other neighboring countries.”

Experts discovered two active IP addresses (128.127.105[.]13 and 179.43.169[.]20) involved in the attacks,  monitoring them the researchers uncovered new doppelganger domains used by the threat actors.

Below the key findings published by the experts:

• ASERT uncovered a credential theft campaign we call LUCKY ELEPHANT where attackers masquerade as legitimate entities such as foreign government, telecommunications, and military.
• The doppelganger webpages primary purpose is to gather login credentials; we have not observed malware payloads associated with the campaign.
• One IP address used in the LUCKY ELEPHANT campaign was previously used by the suspected Indian APT DoNot Team; and at least one of the domains used for credential harvesting was previously attributed to a Chinese APT group.

“The actors behind LUCKY ELEPHANT recognize the effectiveness and use doppelganger webpages nearly identical to legitimate sites, enticing users to input their credentials. It is unclear exactly how effective and widespread this campaign is at gathering credentials, as well as how any compromised credentials are being used.” concludes ASERT.

“However, it is clear is that the actors are actively establishing infrastructure and are targeting governments in South Asia.”

Pierluigi Paganini

(SecurityAffairs – LUCKY ELEPHANT, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]