The Use of the Sliver C2 Framework for Malicious Purposes
The proliferation of Cobalt Strike during the early 2020s has been undeniable, and its impact unquestionable. In response to this challenge, the detection strategies of defenders have steadily matured. Consequently, threat actor decision making with regards to tooling is likely evolving too. We therefore decided to identify and track Cobalt Strike “alternatives”, specifically off-the-shelf Offensive Security Tools (OST).
In this post we will discuss the Sliver C2 framework and its usage for potentially malicious purposes since the start of 2022.
Sliver is a Golang based implant and thus is compatible with the major operating systems. Our focus centered on the detection of new Sliver samples associated with Linux, MacOS, and Windows operating systems, and the extracted network infrastructure contained within those samples. To understand threat actor TTPs, we subsequently tracked network telemetry for the wider C2 infrastructure in cases where Sliver was deployed.
Sliver utilized as a beachhead for the initial infection tool-chain
Sliver utilized in the ransomware delivery framework for attacks observed in the wild
Sliver deployed via active opportunistic scanning and possible exploitation of Log4j / VMware Horizon vulnerabilities
Sliver utilized in the targeting of organizations within Government, Research, Telecom, and University sectors, in addition to sporadic victims of opportunity
Identification of Sliver Samples
Sliver’s current advantage lies in its obscurity alongside other less commonly utilized OSTs, with most organizations still focused on Cobalt Strike detection. This opens a possible gap in coverage – no one can be expected to detect all the things. This gap exposes organizations to the risk of these lesser known, yet still highly capable, OST C2 frameworks.
During Q1 of 2022, we observed 143 Sliver samples, detected with the potential for usage as a first stage tool in malicious activity. For comparison, 4,455 samples of Cobalt Strike were observed within the same time-period. Based on the continued prevalence of Cobalt Strike, organizations focusing on detection of that toolset are certainly justified. However, if organizations have the resources to do so, we strongly recommend some study of Sliver to identify possible detection opportunities.
This should be considered an anecdotal analysis of samples, as no detection rule is infallible, and no malware corpus complete. It is also not feasible to distinguish between legitimate versus malicious use for the totality of samples identified.
What follows is our analysis of two distinct malicious campaigns which leveraged Sliver for C2 purposes.
Sliver Campaign 1 – “Scan & Exploit”
22.214.171.124 (SELECTEL, RU)
C2 PORTS: 8888, 13338, 23338, 33338
Between 03 February – 04 March 2022 Sliver samples were discovered, utilizing Russian-hosted infrastructure, in the targeting of organizations in various sectors distributed globally. These samples and associated C2 IP (126.96.36.199) were deemed malicious, based on observations of 188.8.131.52 sweeping ranges in an indiscriminate manner, likely seeking exploitation opportunities.
Data from GreyNoise further highlighted the use of 184.108.40.206 for malicious purposes, targeting Log4j and Exchange (ProxyShell) vulnerabilities.
Based on the identification of Virlock samples (as discussed later in this blog) it is assessed that in some cases the actors sought to monetize the accesses they had gained.
In one instance, a victim was observed connecting to TCP/80 on 220.127.116.11, potentially indicative of an exploitation of Log4j, with subsequent connections to 18.104.22.168:8888. This victim was identified running VMware Horizon and was therefore likely vulnerable to CVE-2021-44228 and CVE-2021-45046.
The use of TCP/8888 aligns with several identified Sliver samples configured to communicate with 22.214.171.124. After a period of approximately 14 days, we observed the C2 communications ‘migrate’ to TCP/13338, TCP/23338, and TCP/33338.
NOTE: TCP/8888 is associated with Sliver’s default mTLS configuration, the use of the additional TCP ports ending in *3338 appeared more unique to this threat actor and were utilized in circumstances where victim communications persisted over extended time-periods.
The following samples (Table 1) were observed communicating with C2 IP 126.96.36.199.
When generating payloads, the Sliver configurator outputs a binary based on a naming convention of RANDOMWORD1_RANDOMWORD2.exe by default.
In this case, Sliver was utilized for C2 communications in the first stage of the breach activity. A subsequent sample, identified as Atera Remote Management software, also communicated with 188.8.131.52. This sample was first uploaded to VirusTotal on February 11, 2022. It appeared the actor used these two tools in concert, potentially switching to the use of Atera after initial compromise was achieved.
184.108.40.206 (Red Bytes LLC, RU)
C2 PORTS: 8888, 13338, 23338, 33338
Approximately 30 days after first observing victim communications with 220.127.116.11, the actor was observed switching victims to a new C2 IP (18.104.22.168), again assigned to a provider in Russia. As previously, victim communications continued over TCP/13338, TCP/23338, and TCP/33338.
‘In-the-wild’ file names for samples communicating with 22.214.171.124 continued to point towards exploitation of Log4j and VMware Horizon vulnerabilities (Table 2).
In addition to the above referenced samples, a sample with possible Virlock ransomware capabilities was also observed communicating with 126.96.36.199. This sample was first uploaded to VirusTotal on March 11, 2022. This finding is indicative of the actor attempting to monetize the access gained by deploying ransomware on a compromised host. It is unclear whether ransomware deployment was the intended final goal in every case.
188.8.131.52 (NICEIT, DM)
C2 PORT: 8888
Finally, in recent days an additional Sliver sample was detected, communicating with a ‘new’ C2 IP (184.108.40.206) assigned to a provider in Dominica. Network telemetry data does not indicate any current victim communications and it is unclear how this sample / C2 IP is connected to this activity. Updates on this activity will be posted on Twitter via @teamcymru_S2.
One of the challenges faced when tracking this activity was the volume of noise generated by the ongoing exploitation of hosts via vulnerabilities in utilities such as Log4j and Exchange. In several cases, we observed the same victim likely compromised by multiple threat actors. However, what can be concluded is the apparent utilization of Sliver in malicious activity, coupled with the continuous scanning, exploitation, and triage of victim infrastructure.
The activity associated with this cluster was previously commented on in other public reporting:
Sliver Campaign #2 – Pakistan & Turkey
The second campaign identified leveraging Sliver was deemed malicious based on the domain name utilized by the actors, which appeared to target government entities in Pakistan and Turkey.
The detected Sliver samples communicated with ping.turkey.g0v.cq.cn, which resolved to IP 220.127.116.11 (AMAZON-02, US).
Network telemetry data for 18.104.22.168 did not identify current victim communications, however this does not rule out ongoing or future malicious activity.
Passive DNS data for 22.214.171.124 identified three further domains resolving to this IP address:
Given the similarity in the apparent spoofing of government entities, it was inferred that these domains related to the domain (ping.turkey.g0v.cq.cn) identified in the Sliver samples.
A further pivot on pkgov.org identified an email address (email@example.com) used in the domain registration. This email address was used in the registration of two further domains, which resolved to IP 126.96.36.199 (AMAZON-02, US):
In this case, network telemetry for 188.8.131.52:80 provided evidence of inbound connections from potential victims located in Pakistan.
NTC is likely a reference to one of two Pakistani organizations; the National Telecom Corporation, or the National Technology Council.
Data from our Botnet Analysis and Reporting Service (BARS) indicated that a Cobalt Strike Beacon server was listening on TCP/80 of 184.108.40.206, associated with the following shellcode sample:
Passive DNS data for ntcgov.org identified several subdomains, providing an insight into the intended targets of this campaign:
The string dxb possibly relates to DXB, the airport code for Dubai International, and the string raabta possibly relates to a project undertaken by the Centre for Pakistan and Gulf Studies.
It could be inferred that this campaign was undertaken to gain insight into collaborative projects conducted between Pakistan and the Gulf States (which includes Dubai, UAE).
We have observed a steady increase in detected Sliver samples over Q1 of 2022, providing insight into actor deployment methods and objectives. Of note we identified two separate campaigns which leveraged Sliver for likely malicious purposes. The latter campaign highlighted the potential use of both Sliver and Cobalt Strike in conjunction with each other. As previously stated, the threat posed by malicious utilization of Cobalt Strike has not diminished, however we would recommend that organizations also remain mindful of other OSTs, by applying resources to develop detection mechanisms for frameworks like Sliver.
Consider an attack surface management solution to track remediation of vulnerable assets.
Monitor (and hunt externally, beyond your network perimeter) for Sliver with community Snort / YARA rules, for example:
UK NCSC (link)
Travis Green (link)
Monitor and hunt internally within your infrastructures, look specifically for Sliver as an initial payload, or in concert with other OSTs (like Cobalt Strike).
Review threat actor TTPs where Sliver was leveraged in previous malicious campaigns, for example:
Alexis Rodriguez (link)
If you are concerned about the risks and vulnerabilities of external assets, you can access our eBook on Attack Surface Management here: https://team-cymru.com/ebook-the-future-of-attack-surface-management-brad-laporte/
INDICATORS OF COMPROMISE