A legitimate command-and-control (C2) framework known as Sliver is gaining attention from attackers as it emerges as an open source alternative to Cobalt Strike and Metasploit.
The findings come from Cybereason, who detailed the inner workings in last week’s in-depth analysis.
Developed by cybersecurity firm BishopFox, Sliver is a Golang-based cross-platform post-exploitation framework designed for use by security professionals in red team operations.
Dynamic code generation, in-memory payload execution, process injection, and a myriad of features for adversary simulation make it an attractive tool for attackers looking to gain an initial foothold and gain elevated access to a target system. It is
In other words, after software has compromised a machine using one of the initial intrusion vectors, such as spear phishing or exploitation of an unpatched vulnerability, it has a second step to execute the next step in the attack chain. Used as a 2nd stage.
“The Silver C2 implant was run on a workstation as a second stage payload, [the] The Sliver C2 server gets a shell session,” said Cybereason researchers Loïc Castel and Meroujan Antonyan.
A hypothetical attack sequence detailed by an Israeli cybersecurity firm shows that Sliver was utilized for privilege escalation, followed by credential theft and lateral movement, and eventually compromised the domain for sensitive data extraction. Indicates the possibility of hijacking the controller.
Sliver has been weaponized in recent years by the Russian-affiliated APT29 group (aka Cozy Bear) and cybercriminals such as Shathak (aka TA551) and Exotic Lily (aka Projector Libra), the latter attributed to the Bumblebee malware loader. I’m here. .
However, Sliver is not the only open source framework that has been abused for malicious purposes. Last month, Qualys revealed how multiple hacking groups, including Turla, Vice Society, and Wizard Spider, used Empire for post-exploitation to gain a foothold in a victim’s environment.
Qualys security researcher Akshat Pradhan said: “This makes it a toolkit frequently preferred by multiple attackers.”
