"While Splinter is not as advanced as other well-known post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused," says Unit 42 analyst Dominik Reichel.
"The newly uncovered code is a good reminder that attackers are sneaky and continue to invest in tools intended to remain undetected on victims' networks." This highlights the evolving tactics of cyber attackers.
Reichel explained that "Upon execution, the sample parses the configuration data and it uses the network information to connect to the C2 server using HTTPS with the login credentials." This shows the technical sophistication behind Splinter.
"Splinter also uses a JSON format for its configuration data that contains the implant ID and targeted endpoint ID, along with the command-and-control (C2) server details." This suggests a well-structured approach to configurations.
[
Collection
]
[
|
...
]