The reputable command-and-control (C2) framework generally known as Sliver is gaining extra traction from risk actors because it emerges as an open supply various to Cobalt Strike and Metasploit.
The findings come from Cybereason, which detailed its inside workings in an exhaustive evaluation final week.
Sliver, developed by cybersecurity firm BishopFox, is a Golang-based cross-platform post-exploitation framework that is designed for use by safety professionals of their pink crew operations.
Its myriad options for adversary simulation – together with dynamic code era, in-memory payload execution, and course of injection – have additionally made it an interesting software for risk actors trying to acquire elevated entry to the goal system upon gaining an preliminary foothold.
In different phrases, the software program is used as a second-stage to conduct subsequent steps of the assault chain after already compromising a machine utilizing one of many preliminary intrusion vectors comparable to spear-phishing or exploitation of unpatched flaws.
“Silver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session,” Cybereason researchers Loïc Castel and Meroujan Antonyan mentioned. “This session supplies a number of strategies to execute instructions and different scripts or binaries.”
A hypothetical assault sequence detailed by the Israeli cybersecurity firm exhibits that Sliver could possibly be leveraged for privilege escalation, following it up by credential theft and lateral motion to in the end take over the area controller for the exfiltration of delicate knowledge.
Sliver has been weaponized in recent times by the Russia-linked APT29 group (aka Cozy Bear) in addition to cybercrime operators like Shathak (aka TA551) and Exotic Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.
That mentioned, Sliver is much from the one open supply framework to be exploited for malicious ends. Last month, Qualys disclosed how a number of hacking teams, together with Turla, Vice Society, and Wizard Spider, have utilized Empire for post-exploitation and to broaden their foothold in sufferer environments.
“Empire is a powerful submit exploitation framework with expansive capabilities,” Qualys safety researcher Akshat Pradhan mentioned. “This has led to it changing into a frequent favourite toolkit of a number of adversaries.”