October 9, 2024
Cybersecurity Researchers Warn of New Rust-Based Splinter Post-Exploitation Tool
Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild. Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers' systems. "It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language," Unit 42's Dominik

Sep 25, 2024Ravie LakshmananPenetration Testing / Cyber Threat

Cybersecurity researchers have flagged the discovery of a new post-exploitation red team tool called Splinter in the wild.

Palo Alto Networks Unit 42 shared its findings after it discovered the program on several customers’ systems.

“It has a standard set of features commonly found in penetration testing tools and its developer created it using the Rust programming language,” Unit 42’s Dominik Reichel said. “While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused.”

Penetration testing tools are often used for red team operations to flag potential security issues in a company’s network. However, such adversary simulation tools can also be weaponized by threat actors to their advantage.

Unit 42 said it has not detected any threat actor activity associated with the Splinter tool set. There is no information as yet on who developed the tool.

Artifacts unearthed by the cybersecurity firm reveal that they are “exceptionally large,” coming in around 7 MB, primarily owing to the presence of 61 Rust crates within it.

Splinter is no different than other post-exploitation frameworks in that it comes with a configuration that includes information about the command-and-control (C2) server, which is parsed in order to establish contact with the server using HTTPS.

“Splinter implants are controlled by a task-based model, which is common among post-exploitation frameworks,” Reichel noted. “It obtains its tasks from the C2 server the attacker has defined.”

Some of the functions of the tool include executing Windows commands, running modules via remote process injection, uploading and downloading files, collecting cloud service account info, and deleting itself from the system.

“The increasing variety underscores the importance of staying up to date on prevention and detection capabilities, since criminals are likely to adopt any techniques that are effective for compromising organizations,” Reichel said.

The disclosure comes as Deep Instinct detailed two attack methods that could be exploited by threat actors to achieve stealthy code injection and privilege escalation by leveraging an RPC interface in Microsoft Office and a malicious shim, respectively.

“We applied a malicious shim in a process without registering an SDB file on the system,” researchers Ron Ben-Yizhak and David Shandalov said. “We effectively bypassed EDR detection by writing to a child process and loading the target DLL from the suspended child process before any EDR hook can be established.”

In July 2024, Check Point also shed light on a new process injection technique called Thread Name-Calling that allows to implant of a shellcode into a running process by abusing the API for thread descriptions while bypassing endpoint protection products.

“As new APIs are added to Windows, new ideas for injection techniques are appearing,” security researcher Aleksandra “Hasherezade” Doniec said.

“Thread Name-Calling uses some of the relatively new APIs. However, it cannot avoid incorporating older well-known components, such as APC injections – APIs which should always be taken into consideration as a potential threat. Similarly, the manipulation of access rights within a remote process is a suspicious activity.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.