July 3, 2024 at 12:15AM
Cybersecurity researchers have uncovered a highly targeted attack campaign, named Supposed Grasshopper, targeting Israeli entities using open-source malware such as Donut and Sliver. The attackers use custom WordPress websites to deliver the malware, and the campaign could be the work of a small team. The end goal of the campaign is currently unknown.
The meeting notes provide an overview of a cyber attack campaign targeting various Israeli entities using publicly-available frameworks such as Donut and Sliver. The attack is highly targeted, utilizing custom WordPress websites as a payload delivery mechanism and relies on well-known open-source malware. The campaign, tracked by the French company HarfangLab, is named Supposed Grasshopper and involves a rudimentary downloader written in Nim, which retrieves the second-stage malware Donut from a staging server. This malware serves as a conduit for deploying an open-source Cobalt Strike alternative called Sliver. The campaign’s end goal is currently unknown, but it is suspected to be associated with a legitimate penetration testing operation, raising questions surrounding transparency and impersonation of Israeli government agencies. Additionally, the SonicWall Capture Labs threat research team detailed an infection chain employing booby-trapped Excel spreadsheets to drop a trojan known as Orcinius, which utilizes Dropbox and Google Docs to download second-stage payloads and create persistence using registry keys.
Let me know if you need more information or any specific action to be taken based on this information.