Cybersecurity researchers discovered an attack campaign targeting various Israeli organizations with public frameworks such as Donut and Sliver.
The company, which is said to be highly targeted at its core, “uses targeted WordPress infrastructure and custom websites as a payload delivery engine, but targets various entities in unrelated verticals and relies on well-known open source malware” , HarfangLab said in last week’s report.
A French company tracks activity called “As Supposedly a Grasshopper.” This is a link to an attacker-controlled server (“auth.economy-gov-il(.)com/SUPPOSED_GRASSHOPPER.bin”) to which the first-stage downloader connects.
Written in Nim, this loader is rudimentary and designed to load second-tier malware from a proxy server. It is delivered via a virtual hard disk (VHD) file that is believed to be distributed through custom WordPress sites as part of a continuous download scheme.
The second stage payload received from the server Donuta shellcode generation framework that serves as a conduit for open source deployment Cobalt strike alternative no A scrap.
“Operators have also made some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads,” the researchers said. “Overall, it looks like this campaign could really be a small team effort.”
The ultimate purpose of the campaign is currently unknown, although HarfangLab theorizes that it may also be related to a legitimate penetration testing operation, a possibility that raises its own set of questions related to transparency and the need to impersonate Israeli government agencies.
The disclosure comes as SonicWall’s threat research team Capture Labs detailed an infection chain that uses Excel spreadsheets as a starting point to take down the Trojan known as Orcinius.
“This is a multi-stage Trojan that uses Dropbox and Google Docs to download second-stage payloads and stay updated,” the company said in a statement. said. “It contains an obfuscated VBA macro that connects to Windows to monitor open windows and keystrokes and creates persistence using registry keys.”
