An raising variety of threat actors have begun relying on the command-and-manage (C2) framework Sliver as an open-supply choice to resources this sort of as Metasploit and Cobalt Strike.
Security scientists at Cybereason explained the new phenomenon in an advisory released final Thursday, incorporating that Sliver is gaining popularity because of to its modular abilities (through Armory), cross-system assist and wide amount of characteristics.
“Sliver C2 is having more and far more traction considering that its launch in 2020,” reads the report. “As of currently, the number of risk intelligence reports is even now low, and the key studies explain the use of the Russian SVR leveraging Sliver C2.”
In particular, the crew mentioned it currently found Sliver with recognised threat actors and malware families such as BumbleBee and APT29 (also known as Cozy Bear).
The Golang-based, post-exploitation framework experienced been designed by cybersecurity firm Bishop Fox to give pink staff specialists with various penetration screening resources. These include dynamic code generation, compile-time obfuscation, multiplayer manner and staged and stageless payloads, among the many others.
“Sliver is intended as a 2nd phase payload which, immediately after deployment, provides the danger actor total access to the concentrate on procedure and the capability to perform the future measures in the attack chain,” explained researchers Loïc Castel and Meroujan Antonyan in the Cybereason advisory.
According to the cybersecurity gurus, an attack sequence leveraging the C2 framework could guide to privilege escalation, credential theft and lateral movement. A proof-of-thought attack by Cybereason confirmed that attackers could in the long run take in excess of the domain controller to exfiltrate sensitive knowledge.
To place attacks exploiting the system, Castel and Antonyan suggested providers enjoy out for special network and method signatures.
“The detection of Sliver C2 is achievable as this framework creates distinct signatures when executing Sliver-precise attributes,” reads the advisory. “Detections and fingerprinting of the infrastructure server also exist and are detailed in this write-up.”
The Cybereason advisory arrives two months immediately after Proofpoint security researchers warned that a new red-teaming device dubbed “Nighthawk” might before long be exploited by threat actors.
Some parts of this article are sourced from: