Nation-state threat actors are increasingly adopting and integrating the Sliver command and control (C2) framework in their intrusion campaigns, replacing Cobalt Strike.
"Given the popularity of Cobalt Strike as an attack tool, defense against it has also evolved over time," Microsoft security experts said. "Sliver thus offers an attractive alternative for gamers looking for a lesser-known toolset with a low barrier to entry."
First made public by cybersecurity firm BishopFox in late 2019, Sliver is a Go-based open source C2 platform that supports user-developed extensions, custom implant creation, and other command options.
"A C2 framework usually includes a server that accepts connections from implants in a compromised system and a client application that allows C2 operators to interact with the implants and initiate malicious commands." Said.
In addition to facilitating long-term access to affected hosts, the cross-platform kit is also known to provide stagers, which are payloads primarily aimed at picking up and launching a full-featured backdoor on compromised systems.
Among its users, the move from Ryuk, Conti, Hive and BlackCat.Cobalt Strike to a freely available tool is seen as an attempt to reduce competitors' chances of exposure in a compromised environment and to make attribution more difficult by giving their campaigns a higher level of privacy. and persistence.
Sliver isn't the only framework that has caught the attention of malicious actors. In recent months, campaigns led by a Russian state-backed suspicious group have involved another legitimate offensive attack simulation software called Brute Ratel.
"Sliver and many other C2 frameworks are another example of how threat actors are constantly trying to evade automated security detections," Microsoft said.