Hackers are Moving to Sliver C2 as an Alternative to Cobalt Strike

Threat actors are abandoning the Cobalt Strike suite in favour of a lesser-known, open-source, cross-platform tool known as Sliver C2.

Cobalt Strike has developed as an attack tool for numerous threat actors, including ransomware operations, to place “beacons” on infiltrated networks that allow them to move laterally to high-value systems.

Since defenders have learnt to detect and block attacks based on this toolkit, hackers are experimenting with various methods to avoid detection and prevention by Endpoint Detection and Response (EDR) and antivirus solutions.

Threat actors have explored alternatives in the face of better Cobalt Strike defences. For example, Palo Alto Networks saw them switching to Brute Ratel, a malicious attack simulation program designed to avoid detection by security solutions.

According to a Microsoft report, hackers from state-sponsored organizations to cybercrime gangs increasingly employ the Go-based C&C framework developed by experts at BishopFox cybersecurity startup in their attacks.

Microsoft tracks one group that accepted Sliver as DEV-0237. The group, also known as FIN12, has been linked to different ransomware operations.

Previously, the group delivered ransomware payloads from multiple ransomware operators (Ryuk, Conti, Hive, Conti, and BlackCat) using malware such as BazarLoader and TrickBot.

State-sponsored actors in Russia, especially APT29, have also utilized Sliver to maintain access to compromised environments, according to a study from the UK’s Government Communications Headquarters (GCHQ).

Microsoft warns that Sliver has been used in more recent attacks as a substitute for BazarLoader, employing the Bumblebee (Coldtrain) malware loader related to the Conti syndicate.

Looking for Sliver-related activities

Despite being a unique danger, there are ways to detect malicious behaviour generated by both the Sliver framework and stealthier threats.

Microsoft provides a collection of tactics, methods, and procedures (TTPs) for detecting Sliver and other upcoming C2 frameworks.

Threat hunters can set up listeners to detect anomalies on the network for Sliver infrastructure since the Sliver C2 network supports several protocols (DNS, HTTP/TLS, MTLS, TCP), allows implants/operator connections, and can host files to imitate genuine web server.

“Some frequent artifacts include unique HTTP header combinations and JARM hashes, the latter of which are active fingerprinting strategies for TLS servers [RiskIQ Sliver and Bumblebee approach].” Microsoft –

Microsoft also provided instructions for detecting Sliver payloads (shellcode, executables, shared libraries/DLLs, and services) written using the C2 framework’s standard, non-customized codebase.

Microsoft advises removing settings when Sliver malware payloads are put into memory. This is because this toolset has to de-obfuscate and decrypt them in order to use them.

Researchers may be able to obtain details such as configuration data by scanning the memory:

Threat hunters may also seek instructions used for process injection, which the default Sliver code performs without straying from standard implementations. Among the commands that may be used for this are:

• Migrate (command) – Enter a remote process.
• Sideload (command) – load and execute a shared object (shared library/DLL) in a remote process spawndll (command) – load and run a reflective DLL in a remote process
• msf-inject (command) – injects a Metasploit Framework payload into a process execute-assembly (command) – loads and executes a.NET assembly in a child process getsystem (command) – launches a new Sliver session as the NT AUTHORITYSYSTEM User

Microsoft adds that the toolkit relies on extensions and aliases or Beacon Object Files,.NET applications, and other third-party tools for command injection.

The framework also uses PsExec to execute instructions that allow for lateral movement.

Microsoft has designed a set of hunting queries for the aforementioned commands that can be conducted in the Microsoft 365 Defender site to make it simpler for organizations covered by Defender to spot Sliver activity in their environment.

Microsoft emphasizes that the detection rule sets and hunting assistance supplied are for the publicly accessible Sliver source. Therefore, customized variations will likely influence detection based on Microsoft’s inquiries.

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].