Threat actors are starting to rely more on the open source command-and-control (C2) framework Sliver as a substitute for programmes like Metasploit and Cobalt Strike.
In a warning released last Thursday, security researchers at Cybereason outlined the emerging trend and noted that Sliver is gaining popularity because of its modular capabilities (through Armory), cross-platform compatibility, and abundance of features.
The group in particular claimed that it had already discovered Sliver in conjunction with known threat actors and malware families like BumbleBee and APT29 (also known as Cozy Bear). Bishop Fox, a cybersecurity company, created the post-exploitation framework in Golang to provide red team members access to a variety of penetration testing tools. These include, among other things, staged and stageless payloads, compile-time obfuscation, multiplayer mode, and dynamic code generation.
The attack sequence utilising the C2 framework, in the opinion of the cybersecurity experts, may result in privilege escalation, credential theft, and lateral movement. Cybereason demonstrated how an attacker may eventually seize control of the domain controller to exfiltrate sensitive data using a proof-of-concept assault. Castel and Antonyan urged businesses keep an eye out for distinctive network and system signatures to discover attacks that abuse the platform.
The Cybereason advice comes two months after Proofpoint security experts expressed concern that threat actors would soon exploit the new red-teaming tool known as “Nighthawk.”