The second-stage payload, Donut, serves as a shellcode generation framework facilitating the deployment of Sliver an open-source alternative to Cobalt Strike. The attackers demonstrate significant operational sophistication by utilizing dedicated infrastructure and deploying realistic WordPress sites to distribute malicious payloads. Despite these efforts, the ultimate objective of the campaign remains unclear with speculation ranging from espionage to potentially disguised penetration testing activities.

In a separate incident, another threat involves booby-trapped Excel spreadsheets that deliver a trojan known as Orcinius. This trojan operates in multiple stages utilizing Dropbox and Google Docs to download additional payloads and maintain persistence on infected systems. It features obfuscated VBA macros that enable it to monitor windows and keystrokes, establishing persistence through registry keys.

These developments underscore the evolving nature of cyber threats, where attackers blend publicly available tools with sophisticated delivery mechanisms to target specific entities across diverse sectors. The incidents also highlight the ongoing challenge of attribution and discerning between malicious activities and legitimate security testing, raising questions about transparency and the implications for cybersecurity practices globally.

Impact

• Sensitive Information Theft
• Cyber Espionage

Indicators of Compromise

Domain Name

• login.operative-sintecmedia.com
• portal.operative-sintecmedia.com
• login.carlsberg.site
• employees.carlsberg.site
• portal.carlsberg.site
• carls.employers-view.com
• login.microsofonlline.com

MD5

• d4dc9cc972b353dd514e74e78c1badda
• 08a337c96658b630b4b8781ec9870228
• 3b28d01f21238d9e1d577f7399cf0585

SHA-256

• a8948dd8e4e4961da537b40bf7e313f0358510f93e25dea1a2fafd522bfd0e84
• 6fb531839410b65be4f4833d73f02429b4dba8ed56fa236cce76750b9a1be23b
• d891f4339354d3f4c4b834e781fa4eaca2b59c6a8ee9340cc489ab0023e034c8

SHA1

• 0ccf397a2a393d7aa6d9f9574c9aacf3a7d3d42d
• 5383c81f4b6566aacacb1b3ad667dd90ae87313b
• 8d08cac6a8d48420fc02fa8e29d3f6287cb22179

URL

• https://auth.economy-gov-il.com/SUPPOSED_GRASSHOPPER.bin?token=ghhdjsdgsd
• https://portal.operative-sintecmedia.com/SAD_ATTENUATION.bin
• https://portal.operative-sintecmedia.com/report.vhd
• https://employees.carlsberg.site/voucher.vhd

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all software, including operating systems, applications, and plugins like WordPress, are regularly updated with the latest security patches to mitigate vulnerabilities exploited by attackers.
• Emphasizing the importance of not clicking on suspicious links or downloading files from unknown sources.
• Implement strict network segmentation to limit the lateral movement of malware within the network, thereby containing potential infections and reducing the impact of successful attacks.
• Deploy and maintain robust endpoint protection solutions that include antivirus, anti-malware, and behavior-based detection to detect and block malicious activity at the endpoint level.
• Utilize WAFs to monitor and filter HTTP/HTTPS traffic to and from web applications, detecting and blocking malicious requests that could exploit vulnerabilities in WordPress or other web platforms.
• Develop and regularly test an incident response plan that outlines procedures for detecting, responding to, and recovering from cybersecurity incidents promptly.
• Implement the principle of least privilege to limit user access rights and permissions, reducing the likelihood of unauthorized access and minimizing the potential impact of compromised accounts.
• Establish comprehensive logging and monitoring capabilities to detect unusual or suspicious activities on networks and systems, enabling timely response and investigation of potential security incidents.
• Assess and monitor the security posture of third-party vendors and suppliers, especially those providing infrastructure or services critical to operations, to ensure they meet adequate security standards.
• Encrypt sensitive data both in transit and at rest to protect it from unauthorized access in case of a successful breach or data exfiltration attempt.