Cyberattack Campaign Targets Israeli Entities Using Open-Source Tools
Cybersecurity analysts have unearthed a sophisticated attack campaign directed at various entities within Israel, utilizing publicly available frameworks such as Donut and Sliver. HarfangLab, a cybersecurity research firm, detailed the operation in a report last week, describing it as highly targeted and leveraging custom-built infrastructure alongside WordPress sites to implement a payload delivery mechanism. The campaign’s reach extends across multiple sectors, affecting diverse organizations that may not seem directly related.
HarfangLab is monitoring the activity under the moniker "Supposed Grasshopper," named after a specific attacker-controlled server, identified as "auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin." This server serves as the initial connection point for a downloader, written in Nim, which is relatively basic yet crucial to the campaign’s framework. Once activated, the downloader’s primary function is to retrieve a second-stage malware component from the staging server, utilizing a virtual hard disk (VHD) file potentially distributed through customized WordPress sites in a drive-by download scheme.
The second-stage payload obtained from this operation is Donut, a framework designed for shellcode generation. It acts as a conduit for deploying Sliver, an open-source alternative to Cobalt Strike, which has gained notoriety in recent cyber operations. Researchers noted that the campaign’s operators have put considerable effort into establishing dedicated infrastructure, including realistic WordPress sites, to effectively deliver their malicious payloads. This level of planning and execution suggests the involvement of a small yet skilled team dedicated to this malicious endeavor.
The ultimate objectives of this attack campaign remain ambiguous. HarfangLab posits the possibility that the operation could be tied to legitimate penetration testing activities. This speculation raises important questions regarding the ethical implications of impersonating Israeli governmental entities within this context.
The announcement regarding this threat follows another significant development in cybersecurity, as SonicWall Capture Labs disclosed an infection chain initiated through compromised Excel spreadsheets. This method employs a trojan known as Orcinius, which utilizes Dropbox and Google Docs to deliver second-stage malware and maintain its operational updates. The trojan contains a sophisticated obfuscated VBA macro designed to hook into the Windows environment, monitoring active processes and keystrokes while establishing persistence via registry keys.
This recent surge in cyber threats underscores the importance of vigilance among businesses, particularly those with ties to the Israeli sector, which has historically been a target due to geopolitical tensions. As cyber adversaries employ increasingly advanced tactics such as those outlined in the MITRE ATT&CK framework—spanning initial access, persistence, and privilege escalation—organizations must bolster their defenses against such evolving threats. Awareness and preparation are critical as the landscape of cyberattacks continues to evolve, highlighting the necessity for businesses to engage in proactive cybersecurity measures.