What started as an alternative to Cobalt Strike has become a trendy C2 framework for threat actors. Sliver, originally an open-source cross-platform adversary emulation/red team framework, provides all core capabilities for adversary simulation. Some of them include dynamic code generation, compile-time obfuscation, multiplayer mode, staged and stageless payloads, and Let's Encrypt integration.

A bit on Sliver

  • Sliver offers secure C2 over mTLS, WireGuard, HTTP(S), and DNS, Windows process migration, process injection, user token manipulation, in-memory .NET, assembly execution, COFF/BOF in-memory loader, and TCP and named pipe pivots.
  • The framework contains an extension package manager (armory) that allows easy installation (automatic compilation) of various third-party tools such as BOFs and .NET tooling including Ghostpack (Rubeus, Seatbelt, SharpUp, Certify, and more).

Threat actors leveraging Sliver

Research teams globally have observed multiple threat groups actively using Sliver.
  • Cybereason’s GSOC team recently reported that the Exotic Lily group was using LNK files to distribute BumbleBee loader malware. 
  • In June 2022, in a month-long AvosLocker campaign, attackers utilized several different tools, including Cobalt Strike, Sliver, and multiple commercial network scanners.
  • In the same month, a threat actor named DriftingCloud was found distributing three open-source malware families, including PupyRAT, Pantegana, and Sliver.
  • In October 2021, TA551 aka Shathak deployed the framework directly after the initial infection vector for much more flexibility.
  • In May 2021, the Russian hacking group APT29, also known as SVR, was leveraging this framework to ensure persistence on a compromised network.

Identification and mitigations

The framework creates a unique network and system signatures, which makes detection and fingerprinting of the infrastructure server efficient. To detect Sliver C2 attacks, users are recommended to navigate to Behavioral Execution Prevention (BEP) in the sensor policy and set both BEP and Variant Payload Prevention to Prevent. They are suggested to handle files originating from external sources such as emails and web browsing with caution.
Cyware Publisher

Publisher

Cyware