The open source C&C tool Sliver is now replacing Cobalt Strike as hackers’ tool of choice for targeted attacks

Threat actors are  adopting and integrating increasingly framework Command and Control (C2) Sliver into their intrusion campaigns as a replacement for Cobalt Strike.

“Given the popularity of Cobalt Strike as an attack tool, defenses against it have also improved over time,” Microsoft security experts said. “Sliver presents an attractive alternative for players looking for a lesser-known toolset with a low barrier to entry”.

Sliver, first made public in late 2019 by cybersecurity firm BishopFox, is an open source C2 platform based on Go that supports user-developed extensions, custom implant generation, is cross-platform, and supports many other options. of control.

“A C2 framework typically includes a server that accepts connections from agents to a compromised system and a client application that allows C2 operators to interact with the agents and launch malicious commands,” Microsoft said.

In addition to facilitating long-term access to infected hosts, the cross-platform kit is also known to offer stagers, which are payloads primarily intended to recover and launch a full-featured backdoor on compromised systems.

Its users include a prolific Ransomware-as-a-Service (RaaS) affiliate tracked as DEV-0237 (also known as FIN12) who previously leveraged initial access acquired from other groups (also known as initial access brokers) to deploy various strains of malware. ransomware such as Ryuk, Conti, Hive, and BlackCat.

Microsoft said it recently observed cybercriminals downloading Sliver and other post-exploitation software by embedding them in the Bumblebee (also known as COLDTRAIN), which emerged earlier this year as a successor to BazarLoader and shares ties to the Conti syndicate.

Migrating Cobalt Strike to a freely available tool is seen as an attempt by adversaries to decrease their chances of exposure in a compromised environment and make attribution more challenging, giving their campaigns a higher level of stealth and persistence.

Sliver is not the only framework that has caught the attention of malicious actors. In recent months, campaigns waged by an alleged Russian state-sponsored group have involved another legitimate adversary attack simulation software called Brute Ratel (for a fee).

Written by Indian security researcher and Dark VortexChetan Nayak (aka Ninja Paranoid), Brute Ratel (BRc4) it is analogous to Cobalt Strike and is described as a “customized command and control center for Red Team and adversary simulation”.“Sliver and many other C2 frameworks are another example of threat actors continually trying to evade automated security detections,” Microsoft said.