Supposed Grasshopper: operators impersonate Israeli government and private companies to deploy open-source malware
June 28, 2024, 3:27 p.m.
Tags
External References
Description
A long-running campaign was identified involving malicious actors impersonating Israeli entities and private companies. The operators delivered payloads through crafted WordPress sites, employing a mix of custom code and open-source malware like Donut and Sliver. While the motivations remain unclear, the activities illustrate the challenges of distinguishing legitimate penetration testing from malicious operations, especially when targeting government bodies. The investigation highlights the increasing adoption of publicly available attack tools and the need for greater transparency in the cybersecurity industry.
Date
Published: June 28, 2024, 2:58 p.m.
Created: June 28, 2024, 2:58 p.m.
Modified: June 28, 2024, 3:27 p.m.
Indicators
c21ad804c22a67ddb62adf5f6153a99268f0b26e359b842ebeabcada824c277f
d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8
d7a66f8529f1c32342c4ed06c4a4750a93bd44161f578e5b94d6d30f7cc41581
2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7
a8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84
6fb531839410b65be4f4833d73f02429b4dba8ed56fa236cce76750b9a1be23b
157.90.153.59
www.economy-gov-il.com
portal.operative-sintecmedia.com
portal.carlsberg.site
login.operative-sintecmedia.com
login.microsofonlline.com
login.carlsberg.site
carls.employers-view.com
employees.carlsberg.site
auth.economy-gov-il.com
economy-gov-il.com
carlsberg.site
Attack Patterns
Donut
Sliver
T1608.004
T1562.004
T1053.005
T1574.002
T1059.001
T1071.001
T1070.004
T1562.001
T1105