"Cybercrime Groups Increasingly Adopting Sliver Command-and-Control Framework"

Nation-state threat actors are increasingly adopting and integrating the Sliver command-and-control (C2) framework as a replacement for Cobalt Strike in their intrusion campaigns. Because of the popularity of Cobalt Strike as an attack tool, defenses against it have also improved over time, according to Microsoft security experts. As a result, Sliver is an appealing option for malicious actors looking for a lesser-known toolset with a low barrier to entry. Sliver, released by the cybersecurity firm BishopFox in late 2019, is a Go-based open-source C2 platform that supports user-developed extensions, custom implant generation, and other commandeering options. A C2 framework typically consists of a server that accepts connections from implants on a compromised system and a client application that allows C2 operators to interact with the implants and launch malicious commands. The cross-platform kit is also known to deliver stagers, which are payloads primarily intended to retrieve and launch a fully-featured backdoor on compromised systems. Among its users is DEV-0237, also known as FIN12, a prolific Ransomware-as-a-Service (RaaS) affiliate that has previously used initial access obtained from other groups to deploy various ransomware strains such as Ryuk, Conti, Hive, and BlackCat. Microsoft reported that it recently observed cybercriminals dropping Sliver and other post-exploitation software by embedding it within the Bumblebee loader, which emerged earlier this year as a successor to BazarLoader and has ties to the larger Conti syndicate. This article continues to discuss the increased adoption of the Silver C2 framework by nation-state threat actors. 

THN reports "Cybercrime Groups Increasingly Adopting Sliver Command-and-Control Framework"