Security researchers link a small, targeted operation impersonating Israeli government entities and private firms to deploy open-source malware through a mixed toolchain, including a drive-by WordPress delivery chain and a VHD-based initial payload. The activity centers on Nim downloader and a Donut/Sliver final payload with C2 hosted on economy-gov-il and related infrastructure, suggesting possible penetration testing origins but with evidence pointing to actual intrusion activity. #SupposedGrasshopper #Donut #Sliver #NimDownloader #EconomyGovIl #OperativeSintecMedia
Keypoints
- Campaigns appear highly targeted, focusing on an Israeli government entity and subsequently private companies across unrelated verticals.
- Delivery relies on two custom WordPress websites used in drive-by download schemes to deliver a VHD payload.
- The infection begins with a VHD named vacation5.vhd containing hagrala.lnk, hagrala.hta, and a first-stage Nim downloader.
- First-stage Nim downloader fetches the second stage from a remote server, operating largely in memory (no disk write).
- Final payload combines Donut and Sliver, with AMSI/WLDP evasion patches to enable post-infection activity and full C2 control.
- Infrastructure tied to multiple domains (economy-gov-il.com, portal.operative-sintecmedia.com, carlsberg.site) and associated hosting/registering details; some domains impersonate brands.
- Evidence and conclusions discuss the possibility that the activity could be legitimate penetration testing, but lack of clear ties to any known firm argues for community awareness.
MITRE Techniques
- [T1189] Drive-by Compromise – Delivery via specifically crafted WordPress websites linking to a VHD file. Quote: ‘on November 6, 2023, this custom WordPress website … contained a button linking to a VHD file’
- [T1218.005] Signed Binary Proxy Execution: HTA – The HTA file hagrala.hta is executed after the user clicks the decoy, launching the first-stage malware. Quote: ‘Following the shortcut causes hagrala.hta to be executed, with the following effects: … the first-stage malware is launched.’
- [T1055] Process Injection – The Nim downloader allocates a new executable buffer with VirtualAllocEx and jumps to the next stage. Quote: ‘allocates a new executable buffer with VirtualAllocEx and jumps to the first byte of the next stage.’
- [T1105] Ingress Tool Transfer – The Nim downloader downloads the second-stage malware from a staging server controlled by the attacker. Quote: ‘downloading the second-stage malware from a staging server controlled by the attacker.’
- [T1562.001] Impair Defenses – The final payload patches AMSI and WLDP to hinder security products. Quote: ‘Patch the AmsiScanBuffer and AmsiScanBytes functions so they return immediately, … WldpIsClassInApprovedList …’
- [T1071.001] Web Protocols – The final payload (Sliver) uses a C2 server (www.economy-gov-il[.]com) accessed over HTTPS. Quote: ‘The final payload … is an instance of Sliver using www.economy-gov-il[.]com as a C2 server.’
Indicators of Compromise
- [Hash] a8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84 – Virtual Hard Disk file (vacation5.vhd)
- [Hash] d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8 – First-stage Nim downloader
- [Hash] 2070dd30e87c492e6f44ebb0a37bcae7cb309de61e1c4e6223df090bb26b3cd7 – Donut and Sliver final payload
- [URL] hxxps://portal.operative-sintecmedia[.]com/report.vhd – VHD distribution site
- [URL] hxxps://employees.carlsberg[.]site/voucher.vhd – VHD distribution site
- [Domain] economy-gov-il[.]com – C2/staging domain for the Nim downloader and Sliver
- [Domain] portal.operative-sintecmedia[.]com – Staging server hosting a custom WordPress site
- [Domain] carlsberg[.]site – Domain used in the campaign infrastructure
- [Domain] carls.employers-view[.]com – Related infrastructure
- [IP] 157.90.153[.]59 – Sliver C2 server resolved from economy-gov-il domain