使用Donut和Sliver框架针对以色列实体的网络攻击

Cybersecurity researchers have discovered an attack campaign that targets various Israeli entities with publicly-available frameworks like Donut and Sliver.

网络安全研究人员发现了一个针对以色列各种实体的攻击活动，使用像Donut和Sliver这样的公开可用框架。

The campaign, believed to be highly targeted in nature, "leverage target-specific infrastructure and custom WordPress websites as a payload delivery mechanism, but affect a variety of entities across unrelated verticals, and rely on well-known open-source malware," HarfangLab said in a report last week.

这次活动被认为具有高度针对性，“利用特定于目标的基础设施和自定义WordPress网站作为有效载荷交付机制，但影响了不相关垂直领域的各种实体，并依赖于众所周知的开源恶意软件。”HarfangLab在上周的一份报告中表示。

The French company is tracking the activity under the name Supposed Grasshopper. It's a reference to an attacker-controlled server ("auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"), to which a first-stage downloader connects to.

这家法国公司以Supposed Grasshopper的名义跟踪这一活动。这是一个对攻击者控制的服务器（"auth.economy-gov-il[.]com/SUPPOSED_GRASSHOPPER.bin"）的参考，第一阶段下载器连接到该服务器。

This downloader, written in Nim, is rudimentary and is tasked with downloading the second-stage malware from the staging server. It's delivered by means of a virtual hard disk (VHD) file that's suspected to be propagated via custom WordPress sites as part of a drive-by download scheme.

这个用Nim编写的下载器很基础，负责从分段服务器下载第二阶段恶意软件。它通过虚拟硬盘（VHD）文件传送，被怀疑通过自定义WordPress网站传播，作为一种通过访问下载的计划的一部分。

The second-stage payload retrieved from the server is Donut, a shellcode generation framework, which serves as a conduit for deploying an open-source Cobalt Strike alternative called Sliver.

从服务器检索到的第二阶段有效载荷是Donut，一个shellcode生成框架，用作部署一个名为Sliver的Cobalt Strike替代品的通道。

"The operators also put some notable efforts in acquiring dedicated infrastructure and deploying a realistic WordPress website to deliver payloads," the researchers said. "Overall, this campaign feels like it could realistically be the work of a small team."

研究人员表示：“运营商还付出了一些显著的努力，获取专用基础设施并部署一个逼真的WordPress网站以传递有效载荷。总的来说，这次活动感觉像可能是一个小团队的工作。”

The end goal of the campaign is currently unknown, although HarfangLab theorized that it could also be associated with a legitimate penetration testing operation, a possibility that raises its own set of questions surrounding transparency and the need for impersonating Israeli government agencies.

该活动的最终目标目前尚不清楚，尽管HarfangLab推测它也可能与一个合法的渗透测试操作有关，这引发了一系列问题，涉及透明度和需要模仿以色列政府机构的问题。

The disclosure comes as the SonicWall Capture Labs threat research team detailed an infection chain that employs booby-trapped Excel spreadsheets as a starting point to drop a trojan known as Orcinius.

此披露是SonicWall Capture Labs威胁研究团队详细说明了一种感染链，利用陷阱Excel电子表格作为投放一个名为Orcinius的特洛伊木马的起点。

"This is a multi-stage trojan that is using Dropbox and Google Docs to download second-stage payloads and stay updated," the company said. "It contains an obfuscated VBA macro that hooks into Windows to monitor running windows and keystrokes and creates persistence using registry keys."

公司表示：“这是一个使用Dropbox和Google Docs下载第二阶段有效载荷并保持更新的多阶段特洛伊木马。它包含一个模糊的VBA宏，可以钩入Windows来监视运行的窗口和按键，并使用注册表键创建持久性。”

参考资料

[1]https://thehackernews.com/2024/07/israeli-entities-targeted-by.html

关注我们

        欢迎来到我们的公众号！我们专注于全球网络安全和精选双语资讯，为您带来最新的资讯和深入的分析。在这里，您可以了解世界各地的网络安全事件，同时通过我们的双语新闻，获取更多的行业知识。感谢您选择关注我们，我们将继续努力，为您带来有价值的内容。