A brand new red team tool known as Splinter has been identified by cybersecurity researchers for post-exploitation purposes.
Following its discovery on multiple client systems, Palo Alto Networks Unit 42 has released its observations.
“Developed using the Rust programming language, the Splinter tool boasts a standard set of functions typically seen in penetration testing software,” remarked Dominik Reichel from Unit 42 stated. “Although not as advanced as established post-exploitation tools like Cobalt Strike, Splinter could pose a threat to organizations when misused.”
While penetration testing tools are mainly deployed for red team exercises to identify potential network vulnerabilities, they can be weaponized by malicious actors for their advantage.
Unit 42 confirmed that no activity from threat actors using Splinter has been identified. The origin of the tool remains unknown.
Analysis by the cybersecurity firm indicates that it is notably large, with a file size of approximately 7 MB due to the inclusion of 61 Rust crates.
Splinter operates like many other post-exploitation frameworks, with a configuration for the command-and-control (C2) server to facilitate communication via HTTPS.
“Utilizing a task-oriented approach, Splinter implants receive instructions from the attacker’s C2 server,” explained Reichel. “This is a common model found in post-exploitation frameworks.”
Among its capabilities, the tool can carry out Windows commands, execute modules through remote process injection, transfer files, gather cloud service credentials, and self-destruct.
“Given the increasing diversity, it’s vital to track and enhance prevention and detection mechanisms, as threat actors are likely to adopt any successful tactics for infiltrating organizations,” added Reichel.
The release coincides with Deep Instinct revealing two attack vectors for achieving covert code injection and privilege escalation using an RPC interface in Microsoft Office and a malicious shim.
“By implanting shellcode through the Thread Name-Calling method, attackers can sidestep endpoint protection measures,” noted security researcher Aleksandra “Hasherezade” Doniec explained.
“Thread Name-Calling relies on newer Windows APIs while tapping into established methods like APC injections, a key threat to consider. Additionally, manipulating remote process access rights raises suspicions.”
In July 2024, Check Point explored another innovation in injection techniques termed Thread Name-Calling, exploiting thread description APIs to insert shellcode into an active process without detection by endpoint security tools.
“The evolving Windows APIs are giving rise to new possibilities for code injection,” highlighted security expert Aleksandra “Hasherezade” Doniec stressed.
“While Thread Name-Calling harnesses fresh API functions, it also leverages older, familiar elements like APC injections, a persistent threat. Modifying remote process rights is an action that raises red flags.”
About Author
