Aug 26 2022

‘Sliver’ Emerges as Cobalt Strike Alternative for Malicious C2

Category: Command and controlDISC @ 9:56 am

Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.

Blurred hands on computer keyboard.

Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for “Sliver.” It’s an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.

“What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike [by defenders],” says Josh Hopkins, research lead at Team Cymru. “Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected,” he says.

Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.

Growing Use

Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.

Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.

An Attractive Alternative for Adversaries

Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.

Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant. 

“Stagers are used by many C2 frameworks to minimize the malicious code that’s included in an initial payload (for example, in a phishing email),” Microsoft said. “This can make file-based detection more challenging.”

Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.

“Sliver lowers the barrier of entry for attackers. [It] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses,” he notes. 

But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. “Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it,” he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.

And finally, the fact that it’s free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.

Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks

At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn. 

In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes. 

“Defenders would be unwise to take their eyes off Cobalt Strike,” Hopkins says. “Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks.”

Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called “Bumblebee“. The company’s chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors. 

“Sliver has a lot of features, [but] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users,” he says “This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection.”

Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes. 

Earlier this year, Palo Alto Networks’ Unit 42 threat-hunting team uncovered what appeared to be Russia’s notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign. 

Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called “Mythic” following some initial indications of adoption within the threat-actor community.

Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says. 

“[So], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks,” he notes.

Command-and-control servers: The puppet masters that govern malware

Malware Analysis

DISC InfoSec

#InfoSecTools and #InfoSectraining



Follow DISC #InfoSec blog

Ask DISC an InfoSec & compliance related question

Tags: C2, Cobalt Strike, Sliver, Threat Intelligence

Aug 04 2022

Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Category: Backdoor,Command and controlDISC @ 1:51 pm

Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations.

The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.

A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems.

The Dark Utilities operation is a ‘C2-as-a-service’ (C2aaS) that advertises reliable, anonymous C2 infrastructure and all the required additional functions for a starting price of just EUR 9,99.

A report from Cisco Talos says that the service has around 3,000 active subscribers, which would bring the operators a revenue of about EUR 30,000.

Dark Utilities login portal
Dark Utilities login portal (Cisco)

Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS) – a decentralized network system for storing and sharing data.

Multiple architectures are supported and it appears that the operators are planning on expanding the list to provide a larger set of options of devices that could be targeted.

Platform selection on payload screen
Platform selection on payload screen (Cisco)

Cisco Talos researchers say that selecting an operating system generates a command string that “threat actors are typically embedding into PowerShell or Bash scripts to facilitate the retrieval and execution of the payload on victim machines.”

The selected payload also establishes persistence on the target system by creating a Registry key on Windows, or a Crontab entry or a Systemd service on Linux.

According to the researchers, the administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.

With tens of thousands of threat actors already subscribed and the low price, Dark Utilities is likely to attract an even larger crowd of less-skilled adversaries.

Source: Thousands of hackers flock to ‘Dark Utilities’ C2-as-a-Service

Tags: C2, C2 as a service, command and control