September 23, 2024 at 02:51AM
Attackers are using a new post-exploitation tool called Splinter to infiltrate and disrupt victims’ IT environments. The malicious tool can execute Windows commands, steal files, collect cloud service account info, and download additional malware. Unlike Cobalt Strike, Splinter poses a potential threat to organizations and remains undetected on victims’ networks.
Based on the meeting notes, the key takeaways are:
1. The new post-exploitation tool Splinter is being used by attackers to cause havoc in IT environments by executing Windows commands, stealing files, collecting cloud service account info, and downloading additional malware onto victims’ systems.
2. Splinter self-deletes after executing tasks, making it more difficult to detect.
3. Although not as advanced as Cobalt Strike, Splinter still poses a potential threat to organizations if misused.
4. Cracked copies of legitimate tools like Cobalt Strike are frequently used for illicit purposes by ransomware operators and cyberspies.
5. Splinter is written in Rust and uses a JSON format for its configuration data, including the implant ID, targeted endpoint ID, and command-and-control (C2) server details.
6. The malware communicates with the C2 server and can run various tasks including executing Windows commands, collecting information from cloud service accounts, and self-destructing.
7. Unit 42 has listed a sample hash and URL paths used by the attacker’s C2 server, emphasizing the need to check for unwanted code in systems.
These takeaways illustrate the potential threat posed by Splinter and the importance of staying vigilant against post-exploitation tools like Cobalt Strike in IT environments.