Tuesday, October 8, 2024
HomeCyber Security NewsThreat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Threat Actors Moving to Sliver Command-and-Control (C2) to Evade Detection

Published on

In favor of similar frameworks less familiar to threat actors, threat actors are ditching Cobalt Strike penetration testing. There has been a surge of interest recently in an open-source, cross-platform kit called Sliver that has emerged after Brute Ratel.

By analyzing the toolkit, its operation, and its components, hunting queries can be used to detect malicious activity involving Sliver. A number of nation-state threat actors have been adopting and integrating the Sliver C2 framework into their intrusion campaigns.

The Migration from Cobalt Strike

It has become increasingly popular in recent years for various threat actors to use Cobalt Strike as an attack tool against various kinds of systems.

- Advertisement - EHA

By using this toolkit, defenses have learned to detect and stop attacks based on the information they collect. The reason for this is to avoid detection by EDR and antivirus solutions, which is why hackers are trying other options.

Threat actors have found alternatives to the Cobalt Strike as a result of the stronger defenses that have been deployed against it. They went and switched over to Brute Ratel, a tool that simulates adversarial attacks with the aim of evading security products.

Microsoft tracks the adoption of Sliver by one group as DEV-0237. FIN12, as well as several other ransomware operators, have been implicated in the gang’s activities.

Several ransomware operators have distributed malware payloads from the gang in the past, including the following:-

  • BazarLoader
  • TrickBot

Threat Hunting

Although the Sliver framework is regarded as a novel threat, there are ways to detect malicious activity originating from it as well as from stealthier threats that cannot be detected by no means.

In order to identify Sliver and other emerging C2 frameworks, Microsoft provides defenders with a set of TTPs which are able to be used to identify them.

Microsoft also disclosed that the non-customized C2 codebase, which contains the official and non-modified code for detecting Sliver payloads, is useful for detecting such payloads.

There are also commands that can be used for process injection that threat hunters can look for. This can be achieved by using the following commands:-

  • migrate (command) – migrate into a remote process
  • spawndll (command) – load and run a reflective DLL in a remote process
  • sideload (command) – load and run a shared object (shared library/DLL) in a remote process
  • msf-inject (command) – inject a Metasploit Framework payload into a process
  • execute-assembly (command) – load and run a .NET assembly in a child process
  • getsystem (command) – spawn a new Sliver session as the NT AUTHORITY\SYSTEM user

At the moment the detection rule sets and hunting guidance are publicly available. In the case of customized variants, there is a possibility that Microsoft’s searches will be impacted by the use of customized variants.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....