Các bài viết liên quan:
Nation-state threat actors are increasingly adopting and integrating the Sliver (C2) command and control framework in their infiltration campaigns as an alternative to Cobalt Strike.
“With Cobalt Strike’s popularity as an offensive tool, defenses against it have also improved over time,” Microsoft security experts said. “Sliver therefore offers an attractive alternative for actors looking for a lesser-known toolkit with a low barrier to entry.”
Sliver, first announced at the end of 2019 by the company network security BishopFox, is a platform Source code Go-based C2 opener that supports user-developed extensions, custom implant creation, and other command options.
A C2 framework typically consists of a server that accepts connections from implanted devices on a compromised system and a client that allows C2 operators to interact with implant and launch malicious commands.
Besides facilitating long-term access to infected servers, cross-platform toolkits are also known to deliver malware, which are payloads primarily intended to retrieve and initiate run a fully featured backdoor on compromised systems.
Included among its users is a prolific ransomware-as-service (RaaS) affiliate tracked as DEV-0237 (aka FIN12) that previously took advantage of the initial access obtained from another group (aka initial access broker) to deploy different strains of ransomware like Ryuk, Conti, Hive, and BlackCat.
Microsoft says it recently observed cybercriminals dropping Sliver and other post-exploit software by embedding them in the Bumblebee (aka COLDTRAIN) loader, which appeared earlier this year as a successor to BazarLoader and shares the link with the larger Conti provisioning system.
The switch from Cobalt Strike to a freely available tool is seen as an attempt by an adversary to reduce their chances of exposure in a compromised environment and make attribution challenging, helping Their campaign increases stealth and durability.
Sliver is not the only framework that has attracted the attention of malicious actors. In recent months, campaigns led by a suspected state-run group Russia The funding involved another legitimate adversary attack simulation software called Brute Ratel.
“Sliver and many other C2 frameworks are another example of how threat actors continually try to evade automated security detections,” Microsoft said.
.
