An escalating amount of menace actors have began relying on the command-and-command (C2) framework Sliver as an open up-resource alternate to applications this sort of as Metasploit and Cobalt Strike.
Security researchers at Cybereason described the new phenomenon in an advisory printed previous Thursday, adding that Sliver is attaining popularity owing to its modular abilities (by using Armory), cross-platform assistance and extensive amount of functions.
“Sliver C2 is receiving extra and a lot more traction because its release in 2020,” reads the report. “As of today, the quantity of danger intelligence reviews is even now reduced, and the primary studies explain the use of the Russian SVR leveraging Sliver C2.”
In specific, the team mentioned it already discovered Sliver with regarded danger actors and malware households these kinds of as BumbleBee and APT29 (also identified as Cozy Bear).
The Golang-dependent, article-exploitation framework experienced been designed by cybersecurity business Bishop Fox to deliver purple staff experts with many penetration testing equipment. These involve dynamic code technology, compile-time obfuscation, multiplayer manner and staged and stageless payloads, among others.
“Sliver is made as a second stage payload which, right after deployment, provides the menace actor total accessibility to the concentrate on program and the capacity to conduct the up coming actions in the attack chain,” stated scientists Loïc Castel and Meroujan Antonyan in the Cybereason advisory.
In accordance to the cybersecurity experts, an attack sequence leveraging the C2 framework could guide to privilege escalation, credential theft and lateral motion. A proof-of-strategy attack by Cybereason confirmed that attackers could ultimately just take in excess of the area controller to exfiltrate sensitive details.
To spot attacks exploiting the system, Castel and Antonyan encouraged companies look at out for exceptional network and process signatures.
“The detection of Sliver C2 is achievable as this framework generates precise signatures when executing Sliver-particular features,” reads the advisory. “Detections and fingerprinting of the infrastructure server also exist and are outlined in this article.”
The Cybereason advisory comes two months right after Proofpoint security researchers warned that a new purple-teaming software dubbed “Nighthawk” may quickly be exploited by threat actors.
Some elements of this post are sourced from: