Headline
'Sliver' Emerges as Cobalt Strike Alternative for Malicious C2
Microsoft and others say they have observed nation-state actors, ransomware purveyors, and assorted cybercriminals pivoting to an open source attack-emulation tool in recent campaigns.
Enterprise security teams, which over the years have honed their ability to detect the use of Cobalt Strike by adversaries, may also want to keep an eye out for “Sliver.” It’s an open source command-and-control (C2) framework that adversaries have increasingly begun integrating into their attack chains.
“What we think is driving the trend is increased knowledge of Sliver within offensive security communities, coupled with the massive focus on Cobalt Strike [by defenders],” says Josh Hopkins, research lead at Team Cymru. “Defenders are now having more and more successes in detecting and mitigating against Cobalt Strike. So, the transition away from Cobalt Strike to frameworks like Sliver is to be expected,” he says.
Security researchers from Microsoft this week warned about observing nation-state actors, ransomware and extortion groups, and other threat actors using Sliver along with — or often as a replacement for — Cobalt Strike in various campaigns. Among them is DEV-0237 (aka FIN12), a financially motivated threat actor associated with the Ryuk, Conti, and Hive ransomware families; and several groups engaged in human-operated ransomware attacks, Microsoft said.
Growing Use
Earlier this year, Team Cymru reported observing Sliver being used in campaigns targeting organizations in multiple sectors, including government, research, telecom, and higher education. One campaign, between Feb. 3 and March 4, involved a Russian-hosted attack infrastructure, while another targeted government entities in Pakistan and Turkey. In many of these attacks, Team Cymru observed Sliver being used as part of the initial infection tool chain to deliver ransomware. In other instances, the threat intelligence firm found Sliver being used in opportunistic attacks involving potential exploitation of Log4j and VMware Horizon vulnerabilities.
Researchers from BishopFox developed and released Sliver, as an open source alternative to Cobalt Strike, in 2019. The framework is designed to give red-teamers and penetration testers a way to emulate the behavior of embedded threat actors in their environments. But as with Cobalt Strike, these same features also make it an attractive threat actor tool.
An Attractive Alternative for Adversaries
Sliver is written in the Go programming language (Golang), and therefore can be used across multiple operating system environments, including Windows, macOS, and Linux. Security teams can use Sliver to generate implants as Shellcode, Executable, Shared library/DLL, and as-a-Service, Microsoft said. Researchers added that Golang helps adversaries also because of the relatively limited tooling available for reverse engineering of Go binaries.
Sliver also supports smaller payloads — or stagers — with a handful of features that allow operators to retrieve and launch a full implant.
“Stagers are used by many C2 frameworks to minimize the malicious code that’s included in an initial payload (for example, in a phishing email),” Microsoft said. “This can make file-based detection more challenging.”
Sliver also offers many more built-in modules than Cobalt Strike, says Andy Gill, adversarial engineer at Lares Consulting; these built-in capabilities make it easier for threat actors to exploit systems and leverage tooling to facilitate access, Gill says. Cobalt Strike, in contrast, is more of a bring-your-own payload/module tool.
“Sliver lowers the barrier of entry for attackers. [It] offers more customization in terms of payload delivery and ways of adapting attacks to evade defenses,” he notes.
But the most appealing factor for threat actors currently is its relative obscurity and the lack of work that has been undertaken — so far, at least — in building detections for Sliver, Hopkins from Team Cymru says. “Sliver has a lot of the same capabilities as Cobalt Strike, but without such a large spotlight being shone on it,” he says. This has created a potential gap in detection coverage that some attackers are now trying to exploit.
And finally, the fact that it’s free, open source, and available on GitHub also makes Sliver attractive compared to Cobalt Strike, which is commercial and therefore requires threat actors to crack the license mechanism each time a new version is released, Gill says.
Cobalt Strike Remains Gold Standard — but Attackers Have Other Frameworks
At the same time, it would be a big mistake for organizations to discount adversarial use of Cobalt Strike, researchers warn.
In the first quarter of this year, for instance, Team Cymru observed some 143 Sliver samples that were likely being used as a first-stage tool in attack campaigns — compared with 4,455 samples of Cobalt Strike being used for potentially malicious purposes.
“Defenders would be unwise to take their eyes off Cobalt Strike,” Hopkins says. “Cobalt Strike is synonymous with — and the gold standard of — command-and-control networks.”
Sometimes, the tools are used in tandem. Researchers at Intel 471 earlier this year observed Sliver being deployed along with Cobalt Strike, Metasploit, and the IcedID banking Trojan via a new loader called "Bumblebee". The company’s chief intelligence officer Michael DeBolt says the framework has one feature that likely makes it especially useful for threat actors.
“Sliver has a lot of features, [but] one that might be especially useful is its ability to limit execution to specific time frames, hosts, domain-joined machines, or users,” he says “This feature can prevent the implant from executing in unintended environments, such as sandboxes, which aids against detection.”
Sliver is just one of several C2 frameworks that attackers are using as alternatives to Cobalt Strike. Researchers from Intel 471, for instance, recently added detection for a legitimate red-teaming tool called Brute Ratel, after observing some threat actors using it for C2 purposes.
Earlier this year, Palo Alto Networks’ Unit 42 threat-hunting team uncovered what appeared to be Russia’s notorious APT29 (aka Cozy Bear) using Brute Ratel in an attack campaign.
Meanwhile, Gills from Lares pointed to Posh2, a C2 framework which, though not new, offers threat actors a chance of evading Cobalt Strike-centric detection mechanisms. And Hopkins from Team Cymru says his company is currently tracking a C2 framework called “Mythic” following some initial indications of adoption within the threat-actor community.
Frameworks tend to vary in capabilities such as lateral movement, injection, and call out, Gill says.
"[So], from a defensive standpoint, operators are better off profiling and generating signatures for techniques than analyzing specific C2 frameworks," he notes.