HQ/EMEAFind out how we can help your business
Various threat actors are now using a new post-exploitation tool, Splinter, to compromise IT environments after an initial attack. Reports revealed that the new tool can execute Windows commands, steal files, collect cloud service account information, and download additional malware onto victims’ systems.
Researchers also noted that Splinter is not as sophisticated as other well-known post-exploitation tools such as Cobalt Strike but still poses a risk to businesses if successfully deployed.
Unlike Splinter, Cobalt Strike is an actual red teaming tool. On the other hand, cracked copies are commonly used for malicious attacks, making them popular among ransomware and cyber espionage operators.
The newly discovered code shows that attackers are constantly innovating and investing in techniques that allow them to remain undetected on compromised networks.
The authors of the new Splinter malware are still a mystery.
Investigations claimed that the authors of the Splinter post-exploitation tool are still unknown, but details about it show significant information. Researchers revealed that the virus is written in Rust, and most of its samples have a usual size of roughly 7 MB.
According to sources, this is primarily due to the file’s extensive use of external libraries. Splinter also stores its configuration data in JSON format, which includes the implant ID targeted endpoint ID and C2 server details.
Upon execution, the sample breaks down the configuration data and uses the network information to connect to the command-and-control server via HTTPS using the login credentials.
Subsequently, the software starts communicating with the C2 server and performing tasks the attacker instructs it to do. These may include running Windows commands, executing a module via remote process injection, uploading a file from the victim’s system to the attacker’s server, downloading malicious files to the victim’s machine, and collecting information from cloud service accounts.
Furthermore, the researchers noticed that the operators could also execute a self-destructing protocol.
Researchers also include a sample hash and the URLs used by the attacker’s C2 server to communicate with the implant, execute tasks, and download or upload files. Therefore, verifying these processes is a security procedure that can ensure that no harmful code is present in systems.
