Cybersecurity experts have found an attack operation that targets several Israeli businesses utilizing publicly-available frameworks like Donut and Sliver.
The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week.
The French business is monitoring the activities under the moniker Supposed Grasshopper. It's a URL to an attacker-controlled server ("auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"), to which a first-stage downloader connects to.
This downloader, written in Nim, is primitive and is charged with downloading the second-stage virus from the staging server. It's transmitted by way of a virtual hard disk (VHD) file that's considered to be disseminated via custom WordPress sites as part of a drive-by download technique.
The second-stage payload obtained from the server is Donut, a shellcode generating framework, which acts as a conduit for installing an open-source Cobalt Strike replacement called Sliver.
"The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads," the researchers added. "Overall, this campaign feels like it could realistically be the work of a small team."
The eventual purpose of the effort is now unclear, while HarfangLab hypothesized that it might potentially be affiliated with a real penetration testing operation, a notion that poses its own set of problems around openness and the necessity for mimicking Israeli government entities.
The discovery comes as the SonicWall Capture Labs threat research team disclosed an infection chain that leverages booby-trapped Excel files as a starting point to deploy a trojan known as Orcinius.
"This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated," the firm stated. "It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys."
