Hackers Use Sliver as Open Source Alternative to Popular C2 Frameworks
Reading Time: 2 minutes

Sliver, a legitimate command-and-control (C2) framework known, is being used by hackers as an open source alternative toCobalt Strike and Metasploit.

According to Cybereason they studied the inner working in detail in an exhaustive analysis last week.

BishopFo stated Sliver is a Golang-based cross-platform post-exploitation framework designed to be used by security professionals in their red team operations.

Its key features include dynamic code generation, in-memory payload execution, and process injection. This makes it an appealing tool for threat actors looking to gain elevated access to the target system upon gaining an initial foothold.Hackers Use Sliver as Open Source Alternative to Popular C2 Frameworks_1As a result, after spear-phishing or exploiting unpatched vulnerabilities, the software is used as a second-stage to conduct the next steps in the attack chain.

Cybereason researchers Loïc Castel and Meroujan Antonyan said, “Silver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session. This session provides multiple methods to execute commands and other scripts or binaries.”

In a hypothetical attack sequence outlined by the Israeli cybersecurity company, Sliver could be used to escalate privileges, followed by credential theft and lateral movement to ultimately take over the domain controller and exfiltrate sensitive data.

Recently  Russia-linked APT29 group (aka Cozy Bear) as well as cybercrime operators like Shathak (aka TA551) and Exotic Lily (aka Projector Libra) have weaponized Sliver. Hackers Use Sliver as Open Source Alternative to Popular C2 Frameworks_2

In spite of this, Sliver is not the only open source framework that has been exploited for malicious purposes. Several hacking groups, such as Turla, Vice Society, and Wizard Spider, have used Empire for post-exploitation and to expand their foothold in victim environments, according to Qualys.

Qualys security researcher Akshat Pradhan said, “Empire is an impressive post-exploitation framework with expansive capabilities. This has led to it becoming a frequent favorite toolkit of several adversaries.”

Related Articles:
Google Offers Next Level Gmail Security with Client-Side Encryption
Samba Security Updates to Patch Multiple High-Severity Vulnerabilities
FBI’s Info Sharing Network ‘InfraGard’ Hacked