Threat actors are transitioning away from the Cobalt Strike suite of penetration testing tools in favor of less well-known frameworks that are similar.
Sliver, an open-source, cross-platform kit, is emerging as a viable replacement for Brute Ratel. Utilizing research queries derived by examining the toolkit, how sliver functions, its components, and malicious activity using it can be found.
Cobalt Strike, a toolkit enabling attackers to deploy "beacons" on compromised machines to conduct remote network surveillance or issue instructions, has long been one of the most well-liked tools in red team engagements.
Hackers are attempting various methods that can avoid Endpoint Detection and Response (EDR) and antivirus solutions because defenders have learned to detect and block assaults depending on this toolkit.
Hackers have developed alternatives as Cobalt Strike's defenses have gotten stronger. They switched to Brute Ratel, an adversarial attack simulation program meant to avoid security products, as seen by Palo Alto Networks.
According to a Microsoft analysis, hackers of all stripes—from state-sponsored organizations to cybercrime gangs—are increasingly employing the Go-based Sliver security testing tool created by experts at BishopFox cybersecurity firm in their attacks.
Microsoft tracks one group that adopted Sliver as DEV-0237. The gang, also known as FIN12, has been connected to several ransomware developers. The gang in the past, has used malware, such as TrickBot, to spread ransomware payloads from other ransomware operators.
State-sponsored actors in Russia, especially APT29 also known as Cozy Bear, The Dukes, and Grizzly Steppe, have reportedly also used Sliver to keep access to compromised environments, according to a report from the UK's Government Communications Headquarters (GCHQ).
Microsoft says that Sliver has been used in more recent attacks in place of BazarLoader using the Bumblebee (Coldtrain) malware loader, which is connected to the Conti syndicate.
Defenders can utilize Microsoft's set of tactics, techniques, and procedures (TTPs) to recognize Sliver and other new C2 frameworks. Hackers can set up listeners to detect anomalies on the network for Sliver infrastructure because the Sliver C2 network supports several protocols DNS, HTTP/TLS, MTLS, and TCP, accepts implants/operator connections, and can host files to imitate legitimate web servers.
Microsoft also provided details on how to recognize Sliver payloads produced from the C2 framework's official, unmodified source.
Microsoft advises removing configurations when they are put into memory for Sliver malware payloads that don't have a lot of contexts because the framework needs to de-obfuscate and decrypt them in order to use them.