news
Hackers use Sliver toolkit instead of Cobalt Strike
Threat actors are abandoning Cobalt Strike's penetration testing suite in favor of similar lesser-known frameworks. After Brute Ratel, the open source, cross-platform kit called Sliver is becoming an attractive alternative.
Hackers use Sliver toolkit instead of Cobalt Strike
Threat actors are abandoning Cobalt Strike's penetration testing suite in favor of similar lesser-known frameworks. After Brute Ratel, the open source, cross-platform kit called Sliver is becoming an attractive alternative.However, malicious activities using Sliver can be detected using hunting queries extracted from the analysis of the toolbox, its workings and components.
Abandoning Cobalt Strike
Over the years, Cobalt Strike has grown in popularity as an attack tool for various threat actors, including ransomware operations.As defenders have learned to detect and stop attacks relying on this toolbox, hackers are trying other options that can evade Endpoint Detection and Response (EDR) and antivirus solutions.Threat actors have found alternatives after facing stronger defenses against Cobalt Strike. Palo Alto Networks found they were turning to Brute Ratel, a adversarial attack simulation tool designed to evade security products.A report from Microsoft notes that hackers, from government-sponsored groups to cybercrime gangs, are increasingly using the Go-based security testing tool Sliver (built by researchers at cybersecurity firm BishopFox) in more and more attacks.
A group that deployed Sliver is tracked by Microsoft as DEV-0237. This gang, also known as FIN12, has been linked to various ransomware operators.In the past, this gang has distributed ransomware codes from various ransomware operators (Ryuk, Conti, Hive, Conti, and BlackCat) through various malware, including BazarLoader and TrickBot.According to a report from the UK Government Communications Headquarters (GCHQ), Russian state-sponsored agents, notably APT29 (aka Cozy Bear, The Dukes, Grizzly Steppe), have also used Sliver to maintain access to compromised environments.Microsoft notes that Sliver has been used in recent attacks using the Bumblebee (Coldtrain) malware loader, which is linked to the Conti criminal group, as a replacement for BazarLoader.
Sliver-based hunting activities
Although this is a new threat, there are ways to detect malicious activity caused by the Sliver framework as well as more stealthy threats.
Microsoft provides a set of tactics, techniques, and procedures (TTP) that defenders can use to detect Sliver and other emerging C2 frameworks.
Because Sliver's command-and-control network supports multiple protocols (DNS, HTTP/TLS, MTLS, TCP) and accepts implant/operator connections, and can impersonate a legitimate web server, threat hunters can create listeners. Set up for Sliver infrastructure to detect anomalies in the network.
"Some common malware artifacts are unique combinations of HTTP headers and JARM hashes, the latter of which are active fingerprinting techniques for TLS servers [methodology for RiskIQ's Sliver and Bumblebee]," says Microsoft.
Microsoft also shared information on how to identify Sliver payloads (shellcode, executables, shared libraries/DLLs, and services) that are built using the official, non-custom codebase for the C2 framework.
For Sliver malware code, Microsoft recommends extracting configurations when they are loaded into memory, as the framework must de-obfuscate and decrypt them before they can be used.
Memory scanning can enable researchers to extract details such as configuration data.
Threat hunters can also look for commands used for process injection, which the default Sliver code achieves without deviating from common implementations.
Microsoft notes that the toolkit also relies on plugins and aliases (Beacon Object Files (BFOs), .NET programs, and other third-party tools) for command injection.
The framework also uses PsExec to execute commands that allow lateral movement.
To make it easier for companies protected by Defender to identify Sliver activity in their environment, Microsoft has created a set of hunting queries that can be run in the Microsoft 365 Defender portal.
Microsoft emphasizes that the provided set of detection rules and hunting guides are for the Sliver codebase that is currently publicly available. Microsoft Queries may not properly recognize customized Silver variants