Israeli Entities Attacked by Cyber Intrusion Utilizing Donut and Sliver Systems

Jul 03, 2024NewsroomCyber Intrusion / Malware

A team of cybersecurity researchers has brought to light an intrusion initiative that is directing its focus towards various Israeli organizations using publicly-accessible systems like Donut and Sliv

Jul 03, 2024NewsroomCyber Intrusion / Malware

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

As per a report released by HarfangLab last week, this targeted initiative is characterized by the use of bespoke WordPress websites for transporting payload and relies on well-known open-source malware despite having a customized infrastructure specifically for its targets across different sectors.

Tracking the operation under the moniker Supposed Grasshopper, the French entity is associating this with an attacker-operated server (“auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin”) where an initial downloader connects to.

This downloader, scripted in Nim, has a basic functionality of fetching the secondary malware from the staging server. The transmission is facilitated through a virtual hard disk (VHD) file that is presumed to spread through personalized WordPress platforms as part of a drive-by download approach.

The secondary payload retrieved from the server is Donut, a tool for generating shellcode, acting as a pathway for deploying an open-source alternative to Cobalt Strike known as Sliver.

“The operators displayed considerable effort in setting up specialized infrastructure and establishing a legitimate-looking WordPress site for payload delivery,” mentioned the researchers. “In general, this operation hints at the involvement of a small group.”

The ultimate objective of the operation remains ambiguous; however, HarfangLab suggests the possibility of an association with a lawful penetration testing scenario, which in turn raises questions regarding transparency and the necessity of pretending to be Israeli governmental bodies.

Unveiled concurrently, the SonicWall Capture Labs threat research team elaborated on a chain of infection that starts with booby-trapped Excel spreadsheets to deploy a trojan named Orcinius.

“Orcinius is a multistage trojan that employs Dropbox and Google Docs for downloading secondary payloads and maintaining its updates,” as conveyed by the company in a statement. “It contains an obfuscated VBA macro that integrates with Windows for monitoring active windows and keystrokes, along with establishing persistence using registry keys.”

Discovered this piece intriguing? Stay tuned on Twitter and LinkedIn for more exclusive updates.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts