[Source – thehackernews.com]
Cybersecurity researchers from Palo Alto Networks Unit 42 have identified a new post-exploitation red team tool, dubbed “Splinter,” that has surfaced in the wild. This newly discovered tool has raised concerns about its potential misuse in cybersecurity attacks despite its current lack of association with any threat actors.
Splinter: A New but Less Advanced Tool
Splinter, developed using the Rust programming language, was detected on several customer systems by Unit 42 researchers. According to Dominik Reichel from Unit 42, “While Splinter is not as advanced as other post-exploitation tools like Cobalt Strike, it still presents a potential threat to organizations if it is misused.”
The tool offers standard features commonly seen in penetration testing tools, typically used by red teams to simulate attacks and identify security vulnerabilities in a company’s network. However, these same tools can be exploited by malicious actors for cyberattacks, potentially compromising organizational security.
Though Unit 42 has not observed any threat actor activity linked to Splinter, they are remaining vigilant. As of now, there is no confirmed information regarding the developer of the tool, adding to the mystery of its origins.
Understanding Splinter’s Capabilities
Splinter operates like other post-exploitation frameworks and includes a configuration that helps establish communication with a command-and-control (C2) server via HTTPS. Once connected, it receives tasks from the attacker-controlled C2 server. The tool allows attackers to execute a range of commands, including running Windows tasks, injecting modules into remote processes, uploading and downloading files, collecting cloud service account details, and self-deletion from the compromised system.
One of the notable aspects of Splinter is its size—around 7 MB—due to the inclusion of 61 Rust crates within the tool. This adds complexity to its detection and analysis by cybersecurity professionals. According to Unit 42’s findings, the growing diversity of such tools highlights the importance of staying updated on cybersecurity prevention and detection techniques, as attackers are always on the lookout for new ways to infiltrate and compromise systems.
Broader Context of Emerging Cyber Threats
Splinter’s emergence comes at a time when the cybersecurity landscape is witnessing the rise of new attack methods. Recently, Deep Instinct researchers revealed two attack techniques that could be leveraged for stealthy code injection and privilege escalation using an RPC interface in Microsoft Office and a malicious shim. Researchers Ron Ben-Yizhak and David Shandalov described how they bypassed Endpoint Detection and Response (EDR) systems, further emphasizing the evolving nature of cyberattacks.
In addition, Check Point highlighted a new process injection technique called “Thread Name-Calling,” which uses the API for thread descriptions to inject shellcode into a running process. This method allows attackers to bypass endpoint protection systems while manipulating access rights within a remote process.
As Aleksandra “Hasherezade” Doniec, a security researcher, pointed out, “As new APIs are added to Windows, new ideas for injection techniques are appearing. However, even these newer methods often rely on older, well-known components, which should always be regarded as potential threats.”
The continued development of sophisticated tools like Splinter and the increasing variety of attack techniques call for heightened vigilance and advanced detection measures within organizations. The ever-changing nature of cybersecurity threats demands constant adaptation from both security teams and the tools they use.
