Move over, Cobalt Strike. Splinter’s the new post-exploit menace in town

Attackers are using Splinter, a new post-exploitation tool, to wreak havoc in victims' IT environments after initial infiltration, utilizing capabilities such as executing Windows commands, stealing files, collecting cloud service account info, and downloading additional malware onto victims' systems.

Then the malicious code self-deletes, according to Palo Alto Networks' Unit 42 threat hunters, which spotted the new penetration testing tool hiding in several of its customers' systems.

"While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused," Unit 42 analyst Dominik Reichel said this month.

Unlike Splinter, Cobalt Strike is a legitimate red-teaming tool. Cracked copies, however, are frequently used for illicit purposes and are a favorite among ransomware operators and cyberspies.

The newly uncovered code is a good reminder that attackers are sneaky and continue to invest in tools intended to remain undetected on victims' networks.

Unit 42 has yet to identify who developed Splinter. The team uncovered the tool's internal project name in a debug artifact.

That malware is written in Rust, and its samples are "exceptionally" large, even for Rust, with a typical sample coming in around 7 MB. This, we're told, is primarily due to the large number of external libraries that the file uses.

Splinter also uses a JSON format for its configuration data that contains the implant ID and targeted endpoint ID, along with the command-and-control (C2) server details.

"Upon execution, the sample parses the configuration data and it uses the network information to connect to the C2 server using HTTPS with the login credentials," Reichel noted.

• Europol nukes nearly 600 IP addresses in Cobalt Strike crackdown
• Six ransomware gangs behind over 50% of 2024 attacks
• Valencia Ransomware explodes on the scene, claims California city, fashion giant, more as victims
• Chinese spies spent months inside aerospace engineering firm's network via legacy IT

The software nasty then begins communicating with the C2 server and executing whatever tasks the attacker tells it to, which can include: running Windows commands, executing a module via remote process injection, uploading a file from the victim's system to the attacker's server, downloading malicious files to the victim's machine, collecting information from cloud service accounts, and self-destructing.

Unit 42 also lists a sample hash, along with URL paths that the attacker's C2 server uses to communicate with the implant, execute tasks and download or upload files. It's a good idea to check these out to ensure there's no unwanted code dwelling in your systems.

And as Reichel points out, it's also a good reminder that Cobalt Strike isn't the only red-teaming tool to worry about in the wild. ®