The legit command-and-control (C2) framework referred to as Sliver is gaining extra traction from menace actors because it emerges as an open supply different to Cobalt Strike and Metasploit.
The findings come from Cybereason, which detailed its internal workings in an exhaustive evaluation final week.
Sliver, developed by cybersecurity firm BishopFox, is a Golang-based cross-platform post-exploitation framework that is designed for use by safety professionals of their purple group operations.
Its myriad options for adversary simulation – together with dynamic code technology, in-memory payload execution, and course of injection – have additionally made it an interesting instrument for menace actors trying to acquire elevated entry to the goal system upon gaining an preliminary foothold.
In different phrases, the software program is used as a second-stage to conduct subsequent steps of the assault chain after already compromising a machine utilizing one of many preliminary intrusion vectors comparable to spear-phishing or exploitation of unpatched flaws.
“Silver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session,” Cybereason researchers Loïc Castel and Meroujan Antonyan mentioned. “This session supplies a number of strategies to execute instructions and different scripts or binaries.”
A hypothetical assault sequence detailed by the Israeli cybersecurity firm exhibits that Sliver may very well be leveraged for privilege escalation, following it up by credential theft and lateral motion to finally take over the area controller for the exfiltration of delicate knowledge.
Sliver has been weaponized in recent times by the Russia-linked APT29 group (aka Cozy Bear) in addition to cybercrime operators like Shathak (aka TA551) and Unique Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.
That mentioned, Sliver is way from the one open supply framework to be exploited for malicious ends. Final month, Qualys disclosed how a number of hacking teams, together with Turla, Vice Society, and Wizard Spider, have utilized Empire for post-exploitation and to develop their foothold in sufferer environments.
“Empire is a formidable post-exploitation framework with expansive capabilities,” Qualys safety researcher Akshat Pradhan mentioned. “This has led to it changing into a frequent favourite toolkit of a number of adversaries.”
