Image default

Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks

Jan 23, 2023Ravie LakshmananThreat Detection / Infosec

Silver C2 Framework

The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit.

The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week.

Sliver, developed by cybersecurity company BishopFox, is a Golang-based cross-platform post-exploitation framework that’s designed to be used by security professionals in their red team operations.

Its myriad features for adversary simulation – including dynamic code generation, in-memory payload execution, and process injection – have also made it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold.

Silver C2 Framework

In other words, the software is used as a second-stage to conduct next steps of the attack chain after already compromising a machine using one of the initial intrusion vectors such as spear-phishing or exploitation of unpatched flaws.

“Silver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session,” Cybereason researchers Loïc Castel and Meroujan Antonyan said. “This session provides multiple methods to execute commands and other scripts or binaries.”

A hypothetical attack sequence detailed by the Israeli cybersecurity company shows that Sliver could be leveraged for privilege escalation, following it up by credential theft and lateral movement to ultimately take over the domain controller for the exfiltration of sensitive data.

Sliver has been weaponized in recent years by the Russia-linked APT29 group (aka Cozy Bear) as well as cybercrime operators like Shathak (aka TA551) and Exotic Lily (aka Projector Libra), the latter of which is attributed to the Bumblebee malware loader.

Silver C2 Framework

That said, Sliver is far from the only open source framework to be exploited for malicious ends. Last month, Qualys disclosed how several hacking groups, including Turla, Vice Society, and Wizard Spider, have utilized Empire for post-exploitation and to expand their foothold in victim environments.

“Empire is an impressive post-exploitation framework with expansive capabilities,” Qualys security researcher Akshat Pradhan said. “This has led to it becoming a frequent favorite toolkit of several adversaries.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.


Related posts

U.S. Federal Agencies Fall Victim to Cyber Attack Utilizing Legitimate RMM Software

James Horns

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks

James Horns

Vice Society Ransomware Attackers Adopt Robust Encryption Methods

James Horns

GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry

James Horns

Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years

James Horns

Ukraine Hit with New Golang-based ‘SwiftSlicer’ Wiper Malware in Latest Cyber Attack

James Horns

Leave a Comment