Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware

June 28, 2024, 3:27 p.m.

Description

A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclear, the activities illustrate the challenges of distinguishing legitimate penetration testing from malicious operations, especially when targeting government bodies. The investigation highlights the increasing adoption of publicly available attack tools and the need for greater transparency in the cybersecurity industry.

External References

https://harfanglab.io/en/insidethelab/supposed-grasshopper-operators-impersonate-israeli-gov-private-companies-deploy-open-source-malware/
https://otx.alienvault.com/pulse/667ecf871c3ec2d1d3f4715b
Tags
impersonation
wordpress
sliver
golang
2024-06-28
open-source
donut
virtual disk

Date

  • Created: June 28, 2024, 2:58 p.m.
  • Published: June 28, 2024, 2:58 p.m.
  • Modified: June 28, 2024, 3:27 p.m.

Indicators

  • c21ad804c22a67ddb62adf5f6153a99268f0b26e359b842ebeabcada824c277f
  • d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8
  • d7a66f8529f1c32342c4ed06c4a4750a93bd44161f578e5b94d6d30f7cc41581
  • 2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7
  • a8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84
  • 6fb531839410b65be4f4833d73f02429b4dba8ed56fa236cce76750b9a1be23b
  • 157.90.153.59
  • www.economy-gov-il.com
  • portal.operative-sintecmedia.com
  • portal.carlsberg.site
  • login.operative-sintecmedia.com
  • login.microsofonlline.com
  • login.carlsberg.site
  • carls.employers-view.com
  • employees.carlsberg.site
  • auth.economy-gov-il.com
  • economy-gov-il.com
  • carlsberg.site
Download all indicators here!

Attack Patterns

  • Donut
  • Sliver