Spain
Portugal
In recent years, the use of Cobalt Strike and Metasploit as tools for attacks on various types of systems has become very popular among attackers.
However, using these tools, security tools have learned to detect and stop attacks based on the information collected. In order to avoid detection of EDR and various antivirus solutions, hackers had to try other options.
I didn't have to search for a long time, since recently experts have seen a surge of interest in an open source cross-platform kit called Sliver, which appeared after Brute Ratel.
Moreover, a number of actors posing a threat on a national scale have already adopted and integrated the Sliver C2 framework into their invasion campaigns.
At first, attackers switched to Brute Ratel, a tool that simulates attacks by attackers in order to evade security products, as an alternative to Cobalt Strike, but progress in the development of such solutions prompted them to switch to Sliver.
Microsoft has already tracked the adoption of Sliver as an attack tool by the hacker group DEV-0237 or FIN12, as well as several other ransomware operators involved in the gang's activities, such as BazarLoader and TrickBot.
Despite the fact that the Sliver infrastructure is considered a new threat, there are ways to detect malicious activity.
To identify Sliver, Microsoft provides defenders with a set of TTP that can be used to identify them.
For example, the unconfigured C2 codebase, which contains the official and unmodified code for detecting Sliver payloads, will help detect those payloads. There are also commands that can be used to implement processes when searching for threats, such as: migrate, spawndll, sideload, msf-inject, execute-assembly, getsystem.
The manual and the set of rules for detection and the manual can be found in the public domain. In the case of the customized version of Sliver, alas, things are more complicated, but Microsoft and other specialists in the field are actively working on finding solutions.
Cybereason experts believe that the software is used as a second stage to perform the next steps of the attack chain after the computer has already been compromised using one of the initial invasion vectors - targeted phishing or uncorrected vulnerabilities.
The alleged sequence of attacks detailed by the Israeli company shows that Sliver can be used to elevate privileges, followed by the theft of credentials and horizontal movement, in order to eventually capture a domain controller to steal sensitive data.
According to the researchers, Sliver has previously been used as a weapon by such well-known groups as APT29 (Cozy Bear), Shathak (TA551) and Exotic Lily (Projector Libra), the latter of which is attributed to the malicious Bumblebee loader.
However, Sliver is far from the only open source platform that can be used for malicious purposes.
Last month, Qualys revealed how several hacker groups, including Turla, Vice Society and Wizard Spider, used Empire to post-exploit and expand their positions in the victim's environment.
