CTI Roundup: Threat Actors Use Sliver C2 Framework

This week, CTI explores why the Sliver command and control (C2) framework is gaining traction among threat actors as an open-source alternative to tools like Cobalt Strike and Metasploit. Next, we take a deep dive into the latest evolution of Emotet. Also included is an overview of an operation in which a suspected China-nexus threat actor exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN, leveraging the bug as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa.

1. Threat actors turn to Sliver as open-source alternative to popular C2 frameworks

Sliver is a tool that security professionals use in red team operations to remotely control compromised machines during security assessments. It’s a Golang-based, cross-platform post-exploitation framework that’s comparable to Cobalt Strike and Metasploit.

According to a new Cybereason report, Sliver is becoming increasingly popular among cybercriminals, largely because it’s open-source, modular, and cross-platform (OS X, Linux and Windows) — making it flexible and convenient. The framework supports many of the core capabilities that are necessary for adversary simulation, like dynamic code generation, compile-time obfuscation, multiplayer mode, and more.

The Sliver C2 ecosystem consists of four major components. It has a server console which acts as the main interface, a C2 server, a client console, and an implant that serves as the malicious code that runs on a target system.

Threat actors currently using Sliver C2

APT29/Cozy Bear

APT29, associated with Russia, has been observed by multiple different organizations using Sliver C2 to ensure persistence on a compromised network. A report by the National Cyber Security Centre (NCSC) notes that the use of Sliver was likely an attempt to maintain access to a number of victims.

TA551

Proofpoint identified emails with Microsoft Office attachments that contained macros that led to the deployment of the Sliver C2 framework. In this instance, Sliver was loaded after the initial infection vector, unlike previously observed TA551 cases.

Exotic Lily

Cybereason previously reported on BumbleBee loader infections which led to the deployment of a C2 framework. Exotic Lily is observed distributing a BumbleBee loader infection that ultimately led to the deployment of Sliver C2.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Sliver has been weaponized by threat actors since its release in 2020 and is still gaining popularity in the cybercriminal community.”

“While Sliver is an impressive framework (hence why threat actors are actively using it), it is not the only open-source framework being exploited by threat actors. Empire is another C2 framework gaining in popularity due to the wide range of capabilities it can provide and attack with. All of this to say – open-source C2 frameworks likely aren’t going anywhere when it comes to cybercrime.”

2. Emotet malware makes a comeback with new evasion techniques

A blog by BlackBerry’s Research and Intelligence team dives into the newest wave of Emotet emails which involve a new method for tricking users into allowing macros in order to download the dropper.

The latest additions to Emotet’s arsenal include an SMB spreader to facilitate lateral movement and a credit card stealer that targets Chrome browsers.

About Emotet malware

Emotet is a trojan that mainly spreads via spam email. It started as a banking trojan but is now mostly seen as infrastructure as a service and used as a dropper for delivery of things like TrickBot, Ryuk ransomware, and Qbot.

The FBI worked with foreign law enforcement agencies and private sector partners in a coordinated effort to take down Emotet in early 2021. To disrupt Emotet’s infrastructure, law enforcement gained control of the infrastructure and took it down from the inside. However, the disruption of the Emotet infrastructure was not enough to stop the malware. Emotet returned to the threat landscape and started topping Proofpoint’s list of high-volume actors, distributing thousands of emails per day.

Emotet’s growing toolbox

Emotet has been evolving since its inception. It can now host a range of modules, each of which is used for different information theft aspects that report back to the C2 servers.

Emotet has also been observed injecting custom modules along with readily available freeware tools and tweaking them over the years. For example, a recently added module targets the Google Chrome browser to steal stored credit card information. Another recently added module is a server message block (SMB) spreader module, which enables lateral movement.

To load some previously used modules, Emotet also uses an injection technique known as Heaven’s Gate. This is an infamous method used by malware to bypass Windows on Windows64 (WoW64) API hooks by taking malicious 32-bit processes to inject into 64-bit processes. Through Heaven’s Gate, Emotet loaders use the process hollowing technique to suspend a legitimate process, and then remap its image with malicious code. This malicious code then runs from the now hollowed-out process to load modules.

Emotet’s social engineering component

Last summer, Microsoft decided to disable macros by default, requiring the user to enable macros each time. The newest wave of Emotet spam emails includes attached .xls files that trick users into allowing these macros in order to download the dropper.

• When a user downloads an .xls file from the email, the infection vector is entirely dependent on the user enabling macros so that the Emotet dropper can be installed. To do so, Emotet relies on social engineering to convince users to basically compromise their own machine.
• In this new campaign, users are instructed to move the newly downloaded file into Excel’s Templates folder. Since this folder is automatically trusted by Microsoft, any file executed from this location is ignored by the Protected View functionality, which allows the macros to run with no issue.
• When the macros are run, they reach out to the internet to download and execute Emotet malware. The Emotet dropper is downloaded to a randomly generated folder as a .dll file and is given a randomly generated name. Emotet will then run in the background, reaching out to the C2 server to download additional malware.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“Every time Emotet reemerges in the news, it appears even more sophisticated than the last. This particular campaign is a prime example of how threat actors will pivot in response to attempts to hinder them. In this case, Microsoft decided to block macros by default, and Emotet said, ‘that’s okay, we’ll just launch from a folder that ignores this Protected View.’”

“Emotet’s response to Microsoft’s decision solely relies on social engineering to convince a user to copy the malicious file to a location that will allow macros to run without hindrance. Social engineering still works, and Emotet is further proof of that.”

3. Chinese hackers exploit Fortinet flaw, use 0-Day to drop malware

According to Mandiant, a suspected China-nexus threat actor successfully exploited a recently patched vulnerability in Fortinet FortiOS SSL-VPN, and leveraged the bug as a zero-day in attacks targeting a European government entity and MSP in Africa.

What is CVE-2022-42475?

On December 12, 2022, Fortinet released a PSIRT Advisory and notified customers at risk of being impacted by CVE-2022-42475 and its exploitation at the hands of state-sponsored threat actors.

CVE-2022-42475 is described as a heap-based buffer overflow vulnerability in FortiOS SSL-VPN. It can potentially enable a remote, unauthorized attacker to execute arbitrary code or commands using specially crafted requests.

Fortinet cites at least one instance in which the vulnerability was exploited in the wild. The PSIRT strongly recommends that FortiOS SSL-VPN users immediately perform exposure checks by sweeping their systems and verifying them against the significant list of indicators of compromise (IOCs) provided by the PSIRT.

The IOCs include the presence of specific log entries, as well as the presence of multiple artifacts within the filesystems of impacted devices, and outbound connections to any of the suspicious IP addresses provided by Fortiguard.

The exploitation

The exploitation of CVE-2022-42475 by a suspected China-nexus threat actor occurred as early as October 2022, at least nearly two months before fixes were released.

Mandiant does not claim to have directly observed exploitation of CVE-2022-42475, but samples of the Linux variant of BOLDMOVE contained a hard coded C2 IP address that has been listed by Fortinet as being involved in the security flaw’s exploitation. Mandiant takes this as indicative of the exploitation of CVE-2022-42475 for the purposes of delivering BOLDMOVE backdoor malware.

The malware that was ultimately delivered as a result of this activity — tracked as BOLDMOVE by Mandiant — is described by the intel firm as a new strain with both a Windows and a Linux variant, which is specifically designed to run on FortiGate firewalls. Mandiant first discovered the BOLDMOVE backdoor in December of 2022.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“This operation serves as a reminder to defenders of the vulnerabilities and gaps in visibility that organizations are constantly battling when they are responsible for managing networks and services remotely. Due to the limitations imposed by the configurations of the devices required to do so, it is also hard to measure the scope and extent of malicious activity resulting from the exploitation of public-facing networking equipment.”

“The difficulty inherent in attempting to detect malicious processes or perform proactive hunts on managed devices basically has the effect of creating blind spots on the perimeter of targeted networks.”

---

Stay up to date on the latest cyber threat intelligence news by checking out our library of roundup reports.