Hackers are displaying a keen interest in Sliver, an open-source, C2 framework as they have been spotted using it
in cyberattacks, substituting it for Cobalt Strike.
But why dump Cobalt Strike?
Cobalt Strike beacons are used by cybercriminals on compromised networks to facilitate lateral movement after a network compromise. Security analysts have gradually improved their defenses against such Cobalt Strike instances, resulting in increased detection of the penetration testing tool. This forced threat actors to seek an alternative.
Microsoft’s observations
Recently, Sliver was adopted by one of the cybercriminal groups and a prolific Raas affiliate, DEV-0237. - The C2 framework has been used in recent attacks using the Bumblebee malware loader.
- Sliver supports smaller payloads or stagers, which are used by many C2 frameworks to reduce the amount of malicious code included in an initial payload, making file-based detection more difficult.
- A key feature of the tool is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users.
- The feature also prevents the implant from executing in unintended environments, such as sandboxes, which aids against detection.
A comparison between the tools
Sliver has similar capabilities to Cobalt Strike. Let’s check out what makes it a potential threat.
- Sliver has a much larger number of built-in modules than Cobalt Strike, making it easier for threat actors to exploit systems and leverage tooling to gain access.
- Cobalt Strike, on the other hand, is a bring-your-own-payload or module tool.
- Sliver lowers the entry barrier for attackers. It allows for greater customization in terms of payload delivery and ways to adapt attacks to avoid defenses,
- When compared to Cobalt Strike, which is commercial and thus requires threat actors to crack the license mechanism each time a new version is released, Sliver is a free, open-source project available on GitHub.
Sliver’s usage on the rise
Sliver has been used in several campaigns aimed at a wide range of organizations, including government, research, telecommunications, and higher education.
- Between February 3 and March 4, one campaign used a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey.
- During the first quarter of 2022, 143 Sliver samples were discovered with the potential to be used as a first-stage tool in malicious activity.
Conclusion
Sliver is a cross-platform tool and hence can be used across multiple operating systems, including Windows, macOS, and Linux.
Threat actors now have an alternative, but organizations cannot turn their attention away from Cobalt Strike. Sliver is one of several C2 frameworks used by attackers as a replacement for Cobalt Strike. Defenders can identify them using Microsoft's TTPs. The tech titan has also provided instructions for identifying Sliver payloads, which were generated using the C2 framework's official codebase.