IB company Harfanglab reported a new campaign targeting various Israeli organizations. The attackers are using publicly accessible frameworks Donut and Sliver to carry out their attacks.
The campaign, known as the Supposed Grasshopper, is impacting enterprises across various sectors of the economy. The attackers are utilizing infrastructure tailored for specific purposes and specially created WordPress sites to distribute malicious software.
The malicious activity commences with a loader written in the NIM language, which connects to a C2 server to receive malicious payloads in the second stage. These payloads are delivered through a virtual hard drive file (VHD) that spreads via specially designed WordPress sites using Drive-By techniques.
The payload of the second stage received from the server is Donut, a Framivork Generation Shell Code that acts as a conduit for deploying an open-source alternative to Cobalt Strike called Sliver.
Researchers have observed that the campaign operators put significant effort into acquiring specific infrastructure and setting up a realistic WordPress website to deliver the payloads. This indicates that the campaign is likely orchestrated by a small yet highly organized group.
Despite researchers’ efforts, the ultimate goal of the campaign remains unclear. Harfanglab suggests that the campaign could be linked to legitimate penetration testing operations, raising concerns about transparency and the impersonation of Israeli government entities.
The Sliver command and control framework was developed by the IB-Companion of Bishopfox. Sliver is a cross-platform post-exploitation environment based on GOLANG, designed for use by security professionals.
Sliver offers numerous functions for simulating malicious activities, including dynamic code generation, in-memory payload execution, and process implementation. These capabilities make it an attractive tool for attackers looking to gain advanced access to target systems.