Targeted Cyberattacks Strike Israeli Entities with Donut and Sliver Frameworks

Cybersecurity researchers have uncovered a targeted cyberattack campaign against various Israeli entities, utilizing widely available frameworks such as Donut and Sliver.

Details of the Campaign

The attack, identified by HarfangLab, leverages target-specific infrastructure and custom WordPress websites to deliver payloads. Despite the diverse range of targeted entities, the campaign employs well-known open-source malware. HarfangLab has dubbed this activity "Supposed Grasshopper," referencing an attacker-controlled server, "auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin," which is accessed by a first-stage downloader.

Attack Mechanism

The initial downloader, written in Nim, is relatively simple and is responsible for fetching the second-stage malware from the staging server. This second-stage payload is delivered via a virtual hard disk (VHD) file, potentially disseminated through custom WordPress sites as part of a drive-by download scheme.

Role of Donut and Sliver Frameworks

The second-stage payload retrieved from the server is Donut, a shellcode generation framework that facilitates the deployment of Sliver, an open-source alternative to Cobalt Strike. The attackers have notably invested in dedicated infrastructure and created realistic WordPress websites to deliver these payloads, suggesting the involvement of a small, organized team.

Speculations on the Campaign's Goal

While the ultimate objective of this campaign remains unclear, HarfangLab has speculated that it might be linked to legitimate penetration testing operations. However, this possibility introduces concerns regarding transparency and the impersonation of Israeli government agencies.

Related Cyber Threats

In a related development, SonicWall Capture Labs has detailed an infection chain starting with booby-trapped Excel spreadsheets that drop a trojan called Orcinius. This multi-stage trojan utilizes Dropbox and Google Docs to download second-stage payloads and maintain updates. It features an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes, establishing persistence through registry keys.

Protecting Against Emerging Threats

This incident underscores the importance of robust cybersecurity measures, including stolen credentials detection, darknet monitoring services, and dark web surveillance. Implementing compromised data tracking, digital footprint analysis, and brand protection strategies can mitigate the risks associated with such sophisticated attacks. Additionally, brand impersonation defense, online risk evaluation, and digital threat scoring are critical for a comprehensive cybersecurity posture.

Conclusion

As cyber threats continue to evolve, it is essential for individuals and organizations to stay informed about emerging attack vectors and implement proactive security measures. Leveraging advanced cybersecurity solutions and maintaining vigilance can significantly enhance defenses against the growing landscape of cyber threats.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.