Attackers are increasingly relying on Sliver, a command and control (C2) framework, as an open source alternative to tools like Metasploit and Cobalt Strike.
Security researchers at Cybereason describe the new phenomenon as follows: Recommendation It was released last Thursday.
“Sliver C2 continues to gain momentum since its release in 2020,” reads the report. “As of today, the number of threat intelligence reports is still low, with the main report describing Russia’s use of his SVR with Sliver C2.”
Specifically, the team said they are already aware of Sliver, which includes known threat actors and malware families such as: bumblebee and APT29 (also known as Cozy Bear).
A Golang-based post-exploitation framework was designed by cybersecurity firm Bishop Fox to provide red team professionals with some penetration testing tools. These include dynamic code generation, compile-time obfuscation, multiplayer modes, staging and stageless his payloads, and more.
“Sliver was designed as a second-stage payload, and once deployed, the threat actor would have full access to the target system, allowing them to perform the next step in the attack chain,” says Cyber eason advisory researchers Loïc Castel and Meroujan Antonyan explain.
A series of attacks leveraging C2 frameworks could lead to privilege escalation, credential theft, and lateral movement, according to cybersecurity experts. A proof-of-concept attack by Cyber easen showed that an attacker could eventually take over a domain her controller and exfiltrate sensitive data.
To uncover attacks that exploit the platform, Castel and Antonyan recommend that companies pay attention to their unique network and system signatures.
“Detection of Sliver C2 is possible because the framework creates specific signatures when performing Sliver-specific functions,” reads the advisory. “There is also discovery and fingerprinting of infrastructure servers, This article.“
Cybereason Advisory Published Two Months After Proofpoint Security researchers warn It shows that a new red teaming tool called “Nighthawk” could soon be exploited by attackers.
