An increasing number of threat actors have started relying on the command-and-control (C2) framework Sliver as an open-source alternative to tools such as Metasploit and Cobalt Strike.
Security researchers at Cybereason described the new phenomenon in an advisory published last Thursday, adding that Sliver is gaining popularity due to its modular capabilities (via Armory), cross-platform support and vast number of features.
“Sliver C2 is getting more and more traction since its release in 2020,” reads the report. “As of today, the number of threat intelligence reports is still low, and the main reports describe the use of the Russian SVR leveraging Sliver C2.”
In particular, the team said it already noticed Sliver with known threat actors and malware families such as BumbleBee and APT29 (also known as Cozy Bear).
The Golang-based, post-exploitation framework had been designed by cybersecurity firm Bishop Fox to provide red team professionals with several penetration testing tools. These include dynamic code generation, compile-time obfuscation, multiplayer mode and staged and stageless payloads, among others.
“Sliver is designed as a second stage payload which, after deployment, gives the threat actor full access to the target system and the ability to conduct the next steps in the attack chain,” explained researchers Loïc Castel and Meroujan Antonyan in the Cybereason advisory.
According to the cybersecurity experts, an attack sequence leveraging the C2 framework could lead to privilege escalation, credential theft and lateral movement. A proof-of-concept attack by Cybereason showed that attackers could ultimately take over the domain controller to exfiltrate sensitive data.
To spot attacks exploiting the platform, Castel and Antonyan recommended companies watch out for unique network and system signatures.
“The detection of Sliver C2 is possible as this framework creates specific signatures when executing Sliver-specific features,” reads the advisory. “Detections and fingerprinting of the infrastructure server also exist and are listed in this article.”
The Cybereason advisory comes two months after Proofpoint security researchers warned that a new red-teaming tool dubbed “Nighthawk” may soon be exploited by threat actors.