A new post-exploitation tool called Splinter has been discovered by Palo Alto Networks’ Unit 42 threat hunters, which is being used to wreak havoc in victims’ IT environments after initial infiltration. This tool allows attackers to execute Windows commands, steal files, collect cloud service account information, and download additional malware onto victims’ systems.
Unlike Cobalt Strike, a legitimate red-teaming tool that is often cracked and misused by attackers, Splinter is a new and unknown entity. Unit 42 has not yet identified who developed the tool, but it is being used to target organizations.
The malware is written in Rust and is exceptionally large, even for Rust, with typical samples coming in at around 7 MB. This is primarily due to the large number of external libraries that the file uses. The configuration data is stored in a JSON format, which contains implant ID, targeted endpoint ID, command-and-control (C2) server details, and more.
Upon execution, the sample parses the configuration data and uses network information to connect to the C2 server using HTTPS with login credentials. The software then begins communicating with the C2 server and executing tasks, including running Windows commands, uploading files, downloading malicious files, collecting cloud service account information, and self-destroying.
Unit 42 has also released sample hashes and URL paths used by the attacker’s C2 server to communicate with the implant, execute tasks, and download or upload files. It is essential for organizations to check these out to ensure that there is no unwanted code dwelling in their systems.
Source: https://www.theregister.com/2024/09/23/splinter_red_team_tool/