Cybercriminals prefer the Sliver framework over other popular solutions

1 month ago · 0 comments

A command and control (C2) framework called Sliver is gaining more and more popularity among attackers. It is being promoted as an Open Source alternative to other C2 solutions like Cobalt Strike and Metasploit.

Sliver was developed by the cybersecurity company BishopFox. It is a cross-platform Golang-based post-exploitation framework designed for use by security professionals.

Sliver's myriad malicious behavior modeling features, such as dynamic code generation, in-memory payload execution, and process injection, have made it an attractive tool for hackers seeking elevated access to a target system.

In other words, the software is used as a second stage to carry out the next steps in the attack chain. Already after the computer was compromised by means available to cybercriminals.

The hypothetical attack sequence detailed by Cybereason shows that Sliver can be used to elevate privileges on a system, followed by the theft of sensitive data.

In recent years, Sliver has been used offensively by APT29 (aka Cozy Bear), Shathak (aka TA551) and Exotic Lily (aka Projector Libra).

However, Sliver is far from the only open source C2 framework that can be used for malicious purposes. Last month, Qualys revealed how several hacker groups, including Turla, Vice Society, and Wizard Spider, were using the Empire framework to post-exploit and expand their positions.

“Empire is an impressive and powerful post-exploitation platform,” said Akshat Pradhan, security researcher at Qualys.