More threat actors have been leveraging the Sliver command-and-control framework as a Cobalt Strike and Metasploit alternative, reports The Hacker News.
Developed by Bishop Fox, Sliver features various adversary simulation capabilities, including in-memory payload execution, dynamic code generation, and process injection, and has been leveraged in facilitating second-stage attacks in spear-phishing campaigns, a Cybereason report showed.
Threat actors could use Sliver for privilege escalation prior to credential theft and lateral movement, and eventually data exfiltration activities, said the report.
"Sliver C2 implant is executed on the workstation as stage two payload, and from [the] Sliver C2 server we get a shell session. This session provides multiple methods to execute commands and other scripts or binaries," said Cybereason researchers Meroujan Antonyan and Loic Castel said.
Some threat actors that have used Sliver include Russian cybercrime operation APT29, also known as CozyBear, and cybercrime operations Exotic Lily, also known as Projector Libra, and Shathak, also known as TA551.
Aside from featuring over 40 million signals from the DNS Research Federation's data platform and the Global Anti-Scam Alliance's comprehensive stakeholder network, the Global Signal Exchange will also contain more than 100,000 bad merchant URLs and one million scam signals from Google.
While some threat actors established fraudulent disaster relief websites as part of phishing attacks aimed at exfiltrating financial details and Social Security numbers from individuals seeking aid, others impersonated Federal Emergency Management Agency assistance providers to create fake claims that enabled relief fund and personal data theft.
Malicious GitHub pages and YouTube videos containing links for purported cracked office software, automated trading bots, and game cheats, have been leveraged to facilitate the download of self-extracting password-protected archives.