Cybersecurity researchers have found an assault marketing campaign that targets numerous Israeli entities with publicly-available frameworks like Donut and Sliver.
The marketing campaign, believed to be extremely focused in nature, “leverage target-specific infrastructure and customized WordPress web sites as a payload supply mechanism, however have an effect on quite a lot of entities throughout unrelated verticals, and depend on well-known open-source malware,” HarfangLab mentioned in a report final week.
The French firm is monitoring the exercise below the title Supposed Grasshopper. It is a reference to an attacker-controlled server (“auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin”), to which a first-stage downloader connects to.
This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It is delivered by way of a digital arduous disk (VHD) file that is suspected to be propagated through customized WordPress websites as a part of a drive-by obtain scheme.
The second-stage payload retrieved from the server is Donut, a shellcode era framework, which serves as a conduit for deploying an open-source Cobalt Strike different referred to as Sliver.
“The operators additionally put some notable efforts in buying devoted infrastructure and deploying a sensible WordPress web site to ship payloads,” the researchers mentioned. “General, this marketing campaign feels prefer it may realistically be the work of a small group.”
The tip aim of the marketing campaign is presently unknown, though HarfangLab theorized that it is also related to a reliable penetration testing operation, a risk that raises its personal set of questions surrounding transparency and impersonating Israeli authorities businesses.
The disclosure comes because the SonicWall Seize Labs menace analysis group detailed an an infection chain that employs booby-trapped Excel spreadsheets as a place to begin to drop a trojan referred to as Orcinius.
“It is a multi-stage trojan that’s utilizing Dropbox and Google Docs to obtain second-stage payloads and keep up to date,” the corporate mentioned. “It incorporates an obfuscated VBA macro that hooks into Home windows to observe working home windows and keystrokes and creates persistence utilizing registry keys.”
