Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Published on
Published on
Published on
Nov 12, 2024
Nov 12, 2024
Nov 12, 2024
Inside the Sliver Framework
Sliver, a cross-platform command-and-control (C2) framework developed by Bishop Fox, was originally created to support adversary emulation and red teaming. However, its robust functionality has led to cybercriminals and nation-state groups adopting it as a stealthy alternative to more recognizable tools like Cobalt Strike.
Core Capabilities:
-
Cross-Platform Operation: Works on Windows, macOS, and Linux.
-
Encrypted Communications: Supports secure channels via mTLS, WireGuard, HTTP(S), and DNS protocols.
-
Advanced Payload Options: Provides features like process injection and in-memory execution of .NET assemblies.
-
Modular Design: Allows users to expand capabilities through custom payloads and third-party integrations.
Adoption by Threat Actors:
-
Supply Chain Attack via Korean Software Vendor: A compromised Korean software installer delivered Sliver, enabling attackers to mask their presence within seemingly legitimate applications-an evolving tactic in supply chain threats.
-
North Korean Group Using Play Ransomware: North Korean actors deployed Sliver's stealth capabilities to facilitate the execution of Play ransomware, underscoring its utility in advanced evasion techniques.
-
Nitrogen Campaign Leading to BlackCat Ransomware: In a recent Nitrogen operation, Sliver provided initial access and reconnaissance capabilities, eventually leading to the deployment of BlackCat ransomware.
Detection Challenges: Sliver's flexibility in payload customization, protocol use, and rapid development updates make it difficult to detect using traditional methods. Its ability to mimic legitimate traffic and quickly adapt to detection efforts poses significant challenges for defenders relying on signature-based tools.
Ligolo-ng Overview
Ligolo-ng is a tunneling and pivoting tool that allows security professionals to securely access internal networks via a reverse TCP/TLS connection. Unlike traditional SOCKS proxies, it leverages a TUN interface, enabling seamless traffic routing through compromised machines.
Ligolo-ng is a favored tool among penetration testers because of its ease of use and cross-platform compatibility. It supports lateral movement within complex network environments, making it ideal for stealthy internal network exploration and effective pivoting during security assessments.
Initial Findings - IP Address and Domain Linkage
During our analysis of recent entries in Hunt's C2 Infrastructure feature, we identified an IP address flagged as a Sliver controller: 179.60.149[.]75, hosted on the HOSTKEY ASN in the United States. The IP exhibited active Sliver C2 ports on 3333, 22813, and 43215, alongside Ligolo-ng on port 22913. This discovery led us to investigate the infrastructure surrounding this server further.
Additional analysis uncovered an associated domain, ycombinator.serveblog[.]net, crafted to resemble Y Combinator, a well-known venture capital firm. The similarity to the legitimate brand name suggests a potential attempt to establish trust or credibility, possibly to deceive users or networks that recognize the firm's status within the tech community.
Upon navigating to this spoofed domain, we observed an immediate HTTP redirect to Y Combinator's legitimate website-a tactic likely intended to deflect suspicion while maintaining a functional appearance.
We combed through multiple malware repositories and encountered a malicious ELF file communicating with the subject IP over port 443. Named "cloud" (SHA-256: c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84), this file was flagged by 31 vendors on VirusTotal as a Sliver implant.
Although executing the file in a local sandbox environment did not yield active network communications, HTTP requests associated with this implant were visible on VirusTotal, revealing specific URL paths on the target server.
The most commonly accessed paths included:
-
/data/bundles
-
/data/javascripts
-
/data/authenticate
Attempts to open these URLs in a browser resulted in 404 responses, indicating the paths are inactive or accessible only under certain conditions.
Infrastructure Expansion - Identifying Linked Server via Certificate Analysis
Over the past two weeks, 179.60.149[.]75 frequently cycled through TLS certificates, including those commonly associated with Sliver C2 infrastructure. Among these, one certificate issued by Let's Encrypt uses the previously identified spoofed domain, while others bear the "multiplayer" subject common name, the default certificate widely used to track framework infrastructure.
Several certificates use the generic common name "localhost." In our analysis of recent C2 deployments, this detail has emerged as a solid secondary indicator of command-and-control infrastructure linked to this framework. Using "localhost" likely reflects an attempt to mislead researchers by mimicking certificates typically used for testing.
In addition to the common name, many certificates include random words or fictitious company names in the organization field, often paired with geographic data, such as city names from Canada or Japan. This mix of natural and fake details adds obfuscation, complicating attribution. Despite these challenges, this pattern remains a consistent marker of the infrastructure associated with this framework.
Pivoting on one of the localhost certificates (SHA-256: 252A651B3BBAB4F3B84C2E8EE9A37C3E899094CFD7366C814C1EAE1632DA2668) identified one additional IP, 179.60.149[.]4, hosted on the same ASN and sharing this certificate.
This IP closely matches the original in port configuration, hosting active Sliver C2 ports alongside Ligolo-ng. Using similar tools and settings suggests the potential for additional infrastructure linked to this campaign.
At the time of writing, no domains were associated with 179.60.149[.]4.
The above highlights the operators' reliance on the Sliver framework and Ligolo-ng to achieve their objective, whatever that may be. With a clearer understanding of the tactics and tools involved, and no further leads, we can move to the conclusion.
Conclusion
Our research traced a small set of infrastructure leveraging the Sliver C2 framework and Ligolo-ng, connected through distinct indicators such as TLS certificates and port configurations. Alongside this IP, we identified an additional server.
We also observed a domain crafted to mimic a company known for supporting startups, likely aiming to establish credibility with potential targets.
These findings emphasize the importance of monitoring subtle changes in known malicious infrastructure indicators, which can reveal additional IPs that may otherwise go undetected. Proactive analysis remains essential in tracking and disrupting these similar campaigns.
Network Observables
IP Address | Hosting Country | ASN | Domain(s) | Notes |
---|---|---|---|---|
179.60.149[.]75 | US | HOSTKEY | ycombinator.serveblog[.]net | Sliver C2 and Ligolo-ng used likely to target Y Combinator. |
179.60.149[.]4 | US | HOSTKEY | N/A | Sliver C2 & Ligolo-ng Server. *Shares TLS certificate w/ 179.60.149[.]75. |
Sliver Implant
File Name | File Type | SHA-256 |
---|---|---|
cloud | ELF 64-bit | c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84 |
Inside the Sliver Framework
Sliver, a cross-platform command-and-control (C2) framework developed by Bishop Fox, was originally created to support adversary emulation and red teaming. However, its robust functionality has led to cybercriminals and nation-state groups adopting it as a stealthy alternative to more recognizable tools like Cobalt Strike.
Core Capabilities:
-
Cross-Platform Operation: Works on Windows, macOS, and Linux.
-
Encrypted Communications: Supports secure channels via mTLS, WireGuard, HTTP(S), and DNS protocols.
-
Advanced Payload Options: Provides features like process injection and in-memory execution of .NET assemblies.
-
Modular Design: Allows users to expand capabilities through custom payloads and third-party integrations.
Adoption by Threat Actors:
-
Supply Chain Attack via Korean Software Vendor: A compromised Korean software installer delivered Sliver, enabling attackers to mask their presence within seemingly legitimate applications-an evolving tactic in supply chain threats.
-
North Korean Group Using Play Ransomware: North Korean actors deployed Sliver's stealth capabilities to facilitate the execution of Play ransomware, underscoring its utility in advanced evasion techniques.
-
Nitrogen Campaign Leading to BlackCat Ransomware: In a recent Nitrogen operation, Sliver provided initial access and reconnaissance capabilities, eventually leading to the deployment of BlackCat ransomware.
Detection Challenges: Sliver's flexibility in payload customization, protocol use, and rapid development updates make it difficult to detect using traditional methods. Its ability to mimic legitimate traffic and quickly adapt to detection efforts poses significant challenges for defenders relying on signature-based tools.
Ligolo-ng Overview
Ligolo-ng is a tunneling and pivoting tool that allows security professionals to securely access internal networks via a reverse TCP/TLS connection. Unlike traditional SOCKS proxies, it leverages a TUN interface, enabling seamless traffic routing through compromised machines.
Ligolo-ng is a favored tool among penetration testers because of its ease of use and cross-platform compatibility. It supports lateral movement within complex network environments, making it ideal for stealthy internal network exploration and effective pivoting during security assessments.
Initial Findings - IP Address and Domain Linkage
During our analysis of recent entries in Hunt's C2 Infrastructure feature, we identified an IP address flagged as a Sliver controller: 179.60.149[.]75, hosted on the HOSTKEY ASN in the United States. The IP exhibited active Sliver C2 ports on 3333, 22813, and 43215, alongside Ligolo-ng on port 22913. This discovery led us to investigate the infrastructure surrounding this server further.
Additional analysis uncovered an associated domain, ycombinator.serveblog[.]net, crafted to resemble Y Combinator, a well-known venture capital firm. The similarity to the legitimate brand name suggests a potential attempt to establish trust or credibility, possibly to deceive users or networks that recognize the firm's status within the tech community.
Upon navigating to this spoofed domain, we observed an immediate HTTP redirect to Y Combinator's legitimate website-a tactic likely intended to deflect suspicion while maintaining a functional appearance.
We combed through multiple malware repositories and encountered a malicious ELF file communicating with the subject IP over port 443. Named "cloud" (SHA-256: c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84), this file was flagged by 31 vendors on VirusTotal as a Sliver implant.
Although executing the file in a local sandbox environment did not yield active network communications, HTTP requests associated with this implant were visible on VirusTotal, revealing specific URL paths on the target server.
The most commonly accessed paths included:
-
/data/bundles
-
/data/javascripts
-
/data/authenticate
Attempts to open these URLs in a browser resulted in 404 responses, indicating the paths are inactive or accessible only under certain conditions.
Infrastructure Expansion - Identifying Linked Server via Certificate Analysis
Over the past two weeks, 179.60.149[.]75 frequently cycled through TLS certificates, including those commonly associated with Sliver C2 infrastructure. Among these, one certificate issued by Let's Encrypt uses the previously identified spoofed domain, while others bear the "multiplayer" subject common name, the default certificate widely used to track framework infrastructure.
Several certificates use the generic common name "localhost." In our analysis of recent C2 deployments, this detail has emerged as a solid secondary indicator of command-and-control infrastructure linked to this framework. Using "localhost" likely reflects an attempt to mislead researchers by mimicking certificates typically used for testing.
In addition to the common name, many certificates include random words or fictitious company names in the organization field, often paired with geographic data, such as city names from Canada or Japan. This mix of natural and fake details adds obfuscation, complicating attribution. Despite these challenges, this pattern remains a consistent marker of the infrastructure associated with this framework.
Pivoting on one of the localhost certificates (SHA-256: 252A651B3BBAB4F3B84C2E8EE9A37C3E899094CFD7366C814C1EAE1632DA2668) identified one additional IP, 179.60.149[.]4, hosted on the same ASN and sharing this certificate.
This IP closely matches the original in port configuration, hosting active Sliver C2 ports alongside Ligolo-ng. Using similar tools and settings suggests the potential for additional infrastructure linked to this campaign.
At the time of writing, no domains were associated with 179.60.149[.]4.
The above highlights the operators' reliance on the Sliver framework and Ligolo-ng to achieve their objective, whatever that may be. With a clearer understanding of the tactics and tools involved, and no further leads, we can move to the conclusion.
Conclusion
Our research traced a small set of infrastructure leveraging the Sliver C2 framework and Ligolo-ng, connected through distinct indicators such as TLS certificates and port configurations. Alongside this IP, we identified an additional server.
We also observed a domain crafted to mimic a company known for supporting startups, likely aiming to establish credibility with potential targets.
These findings emphasize the importance of monitoring subtle changes in known malicious infrastructure indicators, which can reveal additional IPs that may otherwise go undetected. Proactive analysis remains essential in tracking and disrupting these similar campaigns.
Network Observables
IP Address | Hosting Country | ASN | Domain(s) | Notes |
---|---|---|---|---|
179.60.149[.]75 | US | HOSTKEY | ycombinator.serveblog[.]net | Sliver C2 and Ligolo-ng used likely to target Y Combinator. |
179.60.149[.]4 | US | HOSTKEY | N/A | Sliver C2 & Ligolo-ng Server. *Shares TLS certificate w/ 179.60.149[.]75. |
Sliver Implant
File Name | File Type | SHA-256 |
---|---|---|
cloud | ELF 64-bit | c8b524ca90adea19d920beb5cc6bd86dd03b23b0b2c61675cef9d6c0446aea84 |
Related Posts:
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.