Threat Actors Weaponized Splinter Post-Exploitation Red Team Tool Discovered


Unit 42 cybersecurity researchers have identified a new post-exploitation red team tool, Splinter, using Advanced WildFire’s memory scanning tools.

This tool, developed in Rust, a programming language known for its memory safety features, has been found on several customer systems, highlighting the need for continuous tracking and detection of such tools.

EHA

Splinter is designed to simulate long-term access on a target system, expanding initial access gained through various means.

It uses a configuration data structure in JSON format, known as ImplantConfig, which contains essential information for its operations, including the implant ID, targeted endpoint ID, command and control (C2) server address, and login credentials.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

The tool operates on a task-based model, common among post-exploitation frameworks. It obtains tasks from the C2 server defined by the attacker.

These tasks include executing Windows commands, uploading and downloading files, gathering information from cloud service accounts, and self-deletion.

Splinter also employs classic process injection methods to run additional modules, injecting PE loader shellcode and payloads into remote processes.

Threat Actors Weaponized Splinter Post-Exploitation Red Team Tool Discovered
Process Injection

The discovery of Splinter underscores the growing variety of red-teaming tools available, which can be misused by criminals to compromise organizations. This emphasizes the importance of staying up to date on prevention and detection capabilities.

Splinter’s use of Rust, with its densely layered runtime code, makes analysis challenging for malware reverse engineers. The tool’s large size, around 7 MB, is primarily due to the inclusion of large external libraries statically linked to the file.

These libraries, known as crates in Rust terminology, include various networking and encryption tools.

The tool communicates with the C2 server using HTTPS, synchronizing tasks, maintaining a heartbeat connection, and downloading or uploading files through specific URL paths.

The Palo Alto Networks report states that this encrypted communication adds to the complexity of detecting and blocking Splinter’s activities.

While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, its discovery highlights the need for vigilance in cybersecurity.

Organizations must remain proactive in updating their security measures to counter the evolving threat landscape. The identification of Splinter serves as a reminder of the importance of continuous monitoring and detection of potential security threats.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial



Source link