The reputable command-and-handle (C2) framework recognised as Sliver is attaining additional traction from threat actors as it emerges as an open supply alternative to Cobalt Strike and Metasploit.
The conclusions occur from Cybereason, which detailed its inner workings in an exhaustive investigation past 7 days.
Sliver, created by cybersecurity firm BishopFox, is a Golang-primarily based cross-system post-exploitation framework that’s built to be employed by security industry experts in their red team functions.
Its myriad features for adversary simulation – which include dynamic code era, in-memory payload execution, and approach injection – have also designed it an attractive instrument for menace actors looking to gain elevated entry to the goal technique upon gaining an preliminary foothold.
In other words, the software is utilised as a second-phase to conduct following steps of the attack chain immediately after presently compromising a device using a single of the first intrusion vectors this sort of as spear-phishing or exploitation of unpatched flaws.
“Silver C2 implant is executed on the workstation as phase two payload, and from [the] Sliver C2 server we get a shell session,” Cybereason researchers Loïc Castel and Meroujan Antonyan mentioned. “This session offers many methods to execute commands and other scripts or binaries.”
A hypothetical attack sequence specific by the Israeli cybersecurity organization shows that Sliver could be leveraged for privilege escalation, subsequent it up by credential theft and lateral movement to in the long run take more than the domain controller for the exfiltration of delicate info.
Sliver has been weaponized in modern several years by the Russia-connected APT29 team (aka Cozy Bear) as effectively as cybercrime operators like Shathak (aka TA551) and Unique Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.
That reported, Sliver is much from the only open source framework to be exploited for destructive finishes. Very last month, Qualys disclosed how a number of hacking groups, such as Turla, Vice Society, and Wizard Spider, have used Empire for write-up-exploitation and to grow their foothold in target environments.
“Empire is an remarkable article exploitation framework with expansive capabilities,” Qualys security researcher Akshat Pradhan claimed. “This has led to it getting a frequent favourite toolkit of various adversaries.”
Identified this write-up fascinating? Adhere to us on Twitter and LinkedIn to study much more exclusive content material we post.
Some parts of this article are sourced from:
thehackernews.com