LUCKY ELEPHANT campaign targets South Asian governments to harvest login credentials

• The campaign has been active since February 2019.
• The attackers have registered fake websites with doppelganger top-level domains in order to trick the victims.

A new cyberespionage campaign dubbed as ‘LUCKY ELEPHANT’ has been discovered by security researchers lately. The campaign is mostly used against South Asian governments.

Worth noting - Security experts at NETSCOUT Threat Intelligence team found that the campaign has been active since February 2019. The threat actors behind the campaign use doppelganger webpages to mimic real entities such as foreign governments, telecommunications, and military.

The attackers have registered fake websites with various top-level domains in order to trick the victims. The victims, visiting these websites, think them real, and later provide their login credentials.

Who are the victims - The list of organizations that are mimicked by hackers include entities in Pakistan, Bangladesh, Sri Lanka, Maldives, Myanmar, and Nepal. According to the researchers, the threat actors are suspected to be from India. They discovered that one IP address used in the campaign belongs to an Indian APT group named ‘DoNot Team’.

Apart from creating fake South Asian government websites, the threat actors also mimicked the Microsoft Outlook 365 login pages to pull more victims.

“From at least February 2019 to present, the actors in the LUCKY ELEPHANT campaign copied webpages to mimic South Asian government websites as well as Microsoft Outlook 365 login pages and hosted them on their own doppelganger domains, presumably to trick victims into providing login credentials. They registered their doppelgangers with various top-level domains (TLD), specifically those that afford the actors registrant anonymity,” NETSCOUT researchers wrote in a blog post.

It is believed that these fake websites are distributed via phishing emails.

What are the key findings - NETSCOUT researchers have discovered two active IP addresses: 128.127.105[.]13 and 179.43.169[.]20, related to the campaign. These doppelganger domains have been set up to facilitate the credential harvesting campaign.

“One of the IP addresses, 128.127.105[.]13, was previously used by the DoNot Team (aka APT-C-35), a suspected Indian APT group. DoNot Team has a history of heavily targeting Pakistan, in addition to other neighboring countries. The 360 Intelligence Center observed four distinct campaigns against Pakistan since 2017, recently targeting Pakistani businessmen working in China,” researchers added.

The bottom line - The actors behind LUCKY ELEPHANT are cleverly using the fake webpages to entice users to input their credentials. It is unclear as to how effective and widespread the campaign is at gathering credentials. It is also unknown as for how many many users have been affected.