Summary:
Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

The campaign, tracked by HarfangLab as "Supposed Grasshopper," is named after an attacker-controlled server that the first-stage downloader connects to. This initial downloader, written in the Nim programming language, is rudimentary and is responsible for fetching the second-stage malware from the staging server. The second-stage payload is delivered via a virtual hard disk (VHD) file, suspected to be disseminated through custom WordPress sites as part of a drive-by download scheme.

Once retrieved, the second-stage payload includes Donut, a shellcode generation framework, which serves as a conduit for deploying Sliver, an open-source alternative to Cobalt Strike. The attackers have put significant effort into acquiring dedicated infrastructure and creating realistic WordPress websites to facilitate payload delivery. HarfangLab researchers suggest this level of sophistication indicates the involvement of a small, focused team.

Security Officer Comments:
Despite the detailed mechanics of the attack, the ultimate goal remains unclear. HarfangLab theorizes that the campaign could be associated with legitimate penetration testing operations, which raises concerns about transparency and the implications of impersonating Israeli government agencies.

Suggested Corrections:

IOCs:
https://github.com/HarfangLab/iocs/tree/main/TRR240601

Link(s):
https://thehackernews.com/2024/07/israeli-entities-targeted-by.html

https://harfanglab.io/en/insidethel...private-companies-deploy-open-source-malware/