Cybersecurity researchers have found an assault marketing campaign that targets numerous Israeli entities with publicly-available frameworks like Donut and Sliver.
The marketing campaign, believed to be extremely focused in nature, “leverage target-specific infrastructure and customized WordPress web sites as a payload supply mechanism, however have an effect on a wide range of entities throughout unrelated verticals, and depend on well-known open-source malware,” HarfangLab mentioned in a report final week.
The French firm is monitoring the exercise underneath the identify Supposed Grasshopper. It is a reference to an attacker-controlled server (“auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin”), to which a first-stage downloader connects to.
This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It is delivered by the use of a digital laborious disk (VHD) file that is suspected to be propagated through customized WordPress websites as a part of a drive-by obtain scheme.
The second-stage payload retrieved from the server is Donut, a shellcode era framework, which serves as a conduit for deploying an open-source Cobalt Strike different known as Sliver.
“The operators additionally put some notable efforts in buying devoted infrastructure and deploying a sensible WordPress web site to ship payloads,” the researchers mentioned. “Total, this marketing campaign feels prefer it might realistically be the work of a small crew.”
The tip objective of the marketing campaign is at the moment unknown, though HarfangLab theorized that it is also related to a authentic penetration testing operation, a risk that raises its personal set of questions surrounding transparency and the necessity for impersonating Israeli authorities businesses.
The disclosure comes because the SonicWall Seize Labs risk analysis crew detailed an an infection chain that employs booby-trapped Excel spreadsheets as a place to begin to drop a trojan often known as Orcinius.
“It is a multi-stage trojan that’s utilizing Dropbox and Google Docs to obtain second-stage payloads and keep up to date,” the corporate mentioned. “It comprises an obfuscated VBA macro that hooks into Home windows to observe operating home windows and keystrokes and creates persistence utilizing registry keys.”
