Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

June 28, 2024, 3:27 p.m.

Description

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclear, the activities illustrate the challenges of distinguishing legitimate penetration testing from malicious operations, especially when targeting government bodies. The investigation highlights the increasing adoption of publicly available attack tools and the need for greater transparency in the cybersecurity industry.

Date

Published: June 28, 2024, 2:58 p.m.

Created: June 28, 2024, 2:58 p.m.

Modified: June 28, 2024, 3:27 p.m.

Indicators

c21ad804c22a67ddb62adf5f6153a99268f0b26e359b842ebeabcada824c277f

d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8

d7a66f8529f1c32342c4ed06c4a4750a93bd44161f578e5b94d6d30f7cc41581

2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7

a8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84

6fb531839410b65be4f4833d73f02429b4dba8ed56fa236cce76750b9a1be23b

157.90.153.59

www.economy-gov-il.com

Attack Patterns

Donut

Sliver

T1608.004

T1562.004

T1053.005

T1574.002

T1059.001

T1071.001

T1070.004

T1562.001

T1105