Cybersecurity researchers have discovered an attack campaign that uses publicly available frameworks such as Donut and Sliver to target multiple Israeli businesses.
Researchers studying cybersecurity have uncovered an assault operation that targets several Israeli organizations using frameworks like Donut and Sliver that are available to the public. In a report released last week, HarfangLab stated that the campaign using Donut and Sliver, which is thought to be highly targeted, “leverages target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affects a variety of entities across unrelated verticals and relies on well-known open-source malware.” The activity is being monitored by the French business using the moniker “Supposed Grasshopper.” It’s a pointer to a server under the control of the attacker, to which a first-stage downloader connects.This is a basic Nim downloader whose job it is to download the second-stage malware from the staging server. It is distributed using a virtual hard disk (VHD) file that may have spread through custom WordPress sites.
The shellcode-generating framework Donut, which is the second-stage payload that was extracted from the server, acts as a conduit for the deployment of Sliver, an open-source alternative to Cobalt Strike. According to the researchers, “the operators also made some noteworthy efforts in deploying a realistic WordPress website and acquiring dedicated infrastructure to deliver payloads.” ” In general, this campaign seems like it could have been produced by a tiny team.” The campaign’s ultimate objective is still unknown; however, HarfangLab hypothesized that it might also be connected to a lawful penetration testing operation, which presents further concerns about openness and posing as Israeli government agencies.
The revelation coincides with the release of information by the threat research team at SonicWall Capture Labs regarding an infection chain that uses Excel documents that have been booby-trapped to release the Orcinius trojan. According to the business, “this is a multi-stage trojan that uses Dropbox and Google Docs to download second-stage payloads and stay updated.” It has an obscured VBA macro that connects to Windows to track open windows and keystrokes, and it uses registry entries to establish persistence.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
