Cyber security researchers have noted the discovery of a new post-exploitation red team tool called Shard in the wild.
Palo Alto Networks Unit 42 shared its findings after discovering the program on several customers’ systems.
“It has a standard set of features commonly found in penetration testing tools, and its developer built it using the Rust programming language.” — Dominik Reichel of Unit 42 said. “While Splinter is not as sophisticated as other well-known post-exploitation tools such as Cobalt Strike, it still poses a potential threat to organizations if misused.”
Penetration testing tools are often used for red team operations to flag potential security issues in a company’s network. However, there can also be such means of simulating the enemy armed subjects of the threat in their own interests.
Unit 42 said it has not identified any threats related to the Splinter toolkit. There is no information about who developed the tool yet.
The artifacts discovered by the cybersecurity company show that they are “extremely large” at around 7MB, mainly due to the presence of 61 Rust boxes.
Splinter is no different from other post-op frameworks in that it comes with a configuration that includes control server (C2) information that is parsed to establish contact with the server using HTTPS.
“Fragmented implants are driven by a task-based model that is common among post-op structures,” Reichel noted. “It gets its tasks from the C2 server that the attacker identified.”
Some of the tool’s features include executing Windows commands, running modules via remote process implementation, uploading and downloading files, collecting cloud service account information, and removing yourself from the system.
“The increasing diversity underscores the importance of staying current with prevention and detection capabilities, as criminals are likely to adopt any method effective at compromising organizations,” Reichel said.
The disclosure comes as Deep Instinct detailed two attack techniques that can be used by threat actors to achieve covert code injection and elevation of privilege by exploiting the RPC interface in Microsoft Office and malicious gasketrespectively.
“We applied a malicious shim to the process without registering the SDB file on the system,” researchers Ron Ben-Izhak and David Shandalow said. “We actually bypassed EDR detection by writing to the child process and loading the target DLL from the suspended child process before the EDR trap could be set.”
In July 2024, Check Point also shed light on a new process injection technique called Thread Name-Calling, which allows shellcode to be implanted into a running process by abusing the Thread Description API, bypassing endpoint protection products.
“As new APIs are added to Windows, new ideas for injection techniques emerge,” security researcher Alexandra “Hasherezade” Doniec said.
“Thread Name-Calling uses some of the relatively new APIs. However, it cannot avoid incorporating old well-known components such as APC injections are APIs that should always be considered a potential threat. Similarly, manipulation of access rights in a remote process is suspicious activity.’
