Microsoft researchers have discovered some threat actors are using another framework called Sliver.
Sliver is a fork of the popular Cobalt Strike tool, which is used by both penetration testers and malicious actors for purposes such as creating command and control (C2) servers. While there are some similarities between the two tools, Sliver appears to be designed specifically for C2, with fewer features than Cobalt Strike.
Russian state-sponsored groups, including APT29, also known as Cozy Bear, The Dukes, and Grizzly Steppe, are using Sliver to keep access to a number of the existing WellMess and WellMail victims. It's likely that many more will be targeted in the future.
Researchers believe that Sliver may be appealing to malicious actors because it is less well-known than Cobalt Strike and, therefore, may be less likely to be detected by security solutions. Also, Sliver's smaller feature set means that it is less complex and easier to use than Cobalt Strike.
Sliver is a malware platform that allows hackers to maintain persistent access to targeted machines and networks. This allows the attackers to keep a presence on the victim's network even after traditional methods of access have been removed. This is done by connecting to a variety of network protocols, such as DNS, HTTP/TLS, MTLS, and TCP. Sliver can detect when it's being run in a sandbox environment and will not execute. This makes it even more difficult to detect and remove. Additionally, Sliver can impersonate a benign web server and host files. This allows the attackers to remain on the network and carry out further attacks.
Sliver uses Brute Ratel to brute force passwords. Brute Ratel has been seen used in targeted attacks against a number of industries, including healthcare, finance, and manufacturing. The attacks using Sliver appear to be targeted and well-researched. This, combined with the use of a tool that is designed to avoid detection, makes it likely that these attacks will continue.
Despite the fact that Sliver is a relatively new tool, it's being used by some of the most sophisticated threat actors out there. Organizations should be aware of this threat and take steps to protect themselves. These steps include:
- Monitoring for suspicious network activity, such as unusual DNS or HTTP traffic
- Restricting access to systems and networks to only those who need it
- Implementing multi-factor authentication
- Keeping systems and software up to date
- Using antivirus and anti-malware software
- Monitoring for changes in system configuration and user behavior
- Backing up data regularly