HARFANGLAB, a cybersecurity firm, has discovered a complex operation in which attackers pretend to be Israeli government entities and private companies in order to distribute open-source malware.
Their investigation uncovered a suspicious and long-standing domain that may be targeting the Israeli government.
This domain is currently active and serves as a command and control server (C2) in an infection chain related to an Israeli government entity.
The company found that a combination of readily available malware was used, with some minor custom development to connect the different parts of the attack.
In late 2023, private companies were targeted by similar attacks that used common techniques and custom WordPress websites to deliver the payload, as revealed by their research.
Although there is a chance that these attacks are legitimate penetration testing operations, there is no evidence connecting them to any reputable penetration testing company.
How it works
The infection chain starts with a VHD file called “vacation5.vhd.” This file is a virtual hard drive that can be easily mounted on Windows systems without the need for extra tools.
There are multiple hidden files inside this VHD file, along with a visible link file called “hagrala.lnk” that directs to an HTA file named “hagrala.hta.” Clicking on the VHD file will initiate the execution of the HTA file.
This file, on the other hand, shows a misleading image, while transferring malware-related files to the %TEMP% folder and initiating the initial stage of the malware.
The initial malware is a basic downloader coded in the Nim programming language. This connects to a staging server that is under the control of the attackers in order to download the second-stage malware.
The connection is established using an SSL context initialized by an attached certificate. However, testing shows that the malware can accept certificates signed by other certificate authorities, which may bypass intended validation mechanisms.
The final payload includes two open-source projects called Donut and Sliver. Donut is a framework that generates position-independent shellcode, while Sliver is a Golang trojan created as a free alternative to CobaltStrike.
After being executed, Donut is designed to disrupt the victim's security products by manipulating AMSI (Antimalware Scan Interface) and WLDP (Windows Lockdown Policy).
It modifies certain functions to make them ineffective, thus circumventing security measures.
Sliver, the final payload, utilizes the domain “www.economy-gov-il[.]com” as its C2 server.
The attacker gains complete control over the victim's machine, giving them the ability to utilize Sliver's features for various actions, including data exfiltration or deploying additional malware.
HARFANGLAB's analysis has shown more infrastructure that is likely to have been used in similar attack campaigns.
Staging servers and custom WordPress websites hosted on domains registered through GoDaddy, such as “economy-gov-il[.]com,” “portal.operative-sintecmedia[.]com,” and “carlsberg[.]site,” were utilized to distribute malware via drive-by download schemes.
An interesting incident occurred where a custom WordPress site redirected to Rick Astley's “Never Gonna Give You Up” video, a prank commonly referred to as “rickrolling.”
This suggests that the attackers may have used deceptive tactics to either confuse or entertain themselves.
The findings from HARFANGLAB highlight the narrow focus and precise targeting of the campaign, as only a small number of samples are connected to this specific cluster of activities.