Different researchers involved in cybersecurity have discovered that there are notorious cyberattacks directed towards the Israeli targets using the frameworks that are available in the public domain such as Donut and Sliver. This activity has been monitored by the French cybersecurity firm HarfangLab, and given a code name “Supposed Grasshopper”.
The campaign is well-structured and built and employs the use of ordinary websites on a Content Management System known as WordPress to disseminate the malware. Although the campaign impacts various entities in different industries, it uses recognizable open-source viruses. The said attackers have a target-specific infrastructure and are using custom WordPress websites to distribute their payloads, as noted by HarfangLab.
On the basement of this attack we can identify a downloader partially implemented in the Nim programming language. The grabbed module joins to an opponent-controlled host (“auth. economy-gov-il[. ]com/SUPPOSED_GRASSHOPPER. bin”) and downloads a second-stage malware from a staging server. This second-stage payload, which comes as a VHD file, is believed to be distributed through primarily through drive-by downloads on custom WordPress websites.
The second-stage payloads are Donut, the shell code generator along with a Sliver, an open source tool that is similar to Cobalt Strike. The operators have invested a lot of efforts to obtain dedicated infrastructure and to build realistic WordPress sites to deploy payloads. Such procedures point to the work of a small group of trained specialists.
It is still rather vague who and what the campaign is promoting and what its ultimate goal is. HarfangLab has hypothesized that it may be affiliated with a genuine pen-testing exercise, and this begs the issue of why impersonation of Israeli government departments is necessary and how such actions are conducted.
In a similar study, the SonicWall Capture Labs threat research team revealed an infection process from the booby trapped Excel spreadsheets that download a trojan called Orcinius. This trojan works in several stages: the second stage drop files stored at Dropbox and Google Docs, and the final stage inserts itself on the startup folder to became persistent on the infected system.
By documenting ongoing cases, this brings out the fact that cyber criminals are constantly adjusting their methods, and as such, any necessary security measures must fit the same bill in order to defend against such superior threats.