Security

Research

Move over, Cobalt Strike. Splinter’s the new post-exploit menace in town

No malware crew linked to this latest red-teaming tool yet


Attackers are using Splinter, a new post-exploitation tool, to wreak havoc in victims' IT environments after initial infiltration, utilizing capabilities such as executing Windows commands, stealing files, collecting cloud service account info, and downloading additional malware onto victims' systems.

Then the malicious code self-deletes, according to Palo Alto Networks' Unit 42 threat hunters, which spotted the new penetration testing tool hiding in several of its customers' systems.

"While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused," Unit 42 analyst Dominik Reichel said this month.

Unlike Splinter, Cobalt Strike is a legitimate red-teaming tool. Cracked copies, however, are frequently used for illicit purposes and are a favorite among ransomware operators and cyberspies.

The newly uncovered code is a good reminder that attackers are sneaky and continue to invest in tools intended to remain undetected on victims' networks.

Unit 42 has yet to identify who developed Splinter. The team uncovered the tool's internal project name in a debug artifact.

That malware is written in Rust, and its samples are "exceptionally" large, even for Rust, with a typical sample coming in around 7 MB. This, we're told, is primarily due to the large number of external libraries that the file uses.

Splinter also uses a JSON format for its configuration data that contains the implant ID and targeted endpoint ID, along with the command-and-control (C2) server details.

"Upon execution, the sample parses the configuration data and it uses the network information to connect to the C2 server using HTTPS with the login credentials," Reichel noted.

The software nasty then begins communicating with the C2 server and executing whatever tasks the attacker tells it to, which can include: running Windows commands, executing a module via remote process injection, uploading a file from the victim's system to the attacker's server, downloading malicious files to the victim's machine, collecting information from cloud service accounts, and self-destructing.

Unit 42 also lists a sample hash, along with URL paths that the attacker's C2 server uses to communicate with the implant, execute tasks and download or upload files. It's a good idea to check these out to ensure there's no unwanted code dwelling in your systems.

And as Reichel points out, it's also a good reminder that Cobalt Strike isn't the only red-teaming tool to worry about in the wild. ®

Send us news
Post a comment

FBI wipes Chinese PlugX malware from thousands of Windows PCs in America

Hey, Xi: Zài jiàn!

FireScam infostealer poses as Telegram Premium app to surveil Android devices

Once installed, it helps itself to your data like it's a free buffet

Miscreants 'mass exploited' Fortinet firewalls, 'highly probable' zero-day used

Ransomware 'not off the table,' Arctic Wolf threat hunter tells El Reg

Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days

'Codefinger' crims on the hunt for compromised keys

Mitel 0-day, 5-year-old Oracle RCE bug under active exploit

3 CVEs added to CISA's catalog

Chinese cyber-spies peek over shoulder of officials probing real-estate deals near American military bases

Gee, wonder why Beijing is so keen on the – checks notes – Committee on Foreign Investment in the US

GoDaddy slapped with wet lettuce for years of lax security and 'several major breaches'

Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec tools

Biden signs sweeping cybersecurity order, just in time for Trump to gut it

Ransomware, AI, secure software, digital IDs – there's something for everyone in the presidential directive

Crims backdoored the backdoors they supplied to other miscreants. Then the domains lapsed

Here's what $20 gets you these days

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says

China's Salt Typhoon spies spotted on US govt networks before telcos, CISA boss says

We are only seeing 'the tip of the iceberg,' Easterly warns

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed