Sliver Implant Targets German Entities With Dll Sideloading And Proxying Techniques
Thumbnail
Cyble Research and Intelligence Labs (CRIL) has uncovered a cyberattack targeting organizations in Germany, utilizing a deceptive LNK file within an archive to execute a malicious payload known as Sliver. The attack employs DLL sideloading and proxying techniques to maintain stealth and control over the infected systems. Affected: Germany

Keypoints :

  • Cyberattack identified by Cyble Research targeting organizations in Germany.
  • Attack initiated via a deceptive LNK file embedded in an archive.
  • Execution of the LNK file triggers cmd.exe to run a legitimate executable.
  • Malicious DLL is sideloaded to execute shellcode while maintaining normal application behavior.
  • Final payload is the Sliver framework, enabling further malicious operations.
  • Attack likely initiated through spear-phishing emails.
  • DLL proxying technique is used to enhance evasion of detection.
  • Recommendations include strong email filtering and application whitelisting.

MITRE Techniques :

  • Initial Access (TA0001) – Phishing (T1566): Archive file delivered via phishing emails.
  • Execution (TA0002) – Command and Scripting Interpreter (T1059): Commands executed through command interpreters.
  • Persistence (TA0003) – Registry Run Keys / Startup Folder (T1547.001): Creates persistence by adding a LNK file to the startup folder.
  • Privilege Escalation (TA0004) – Hijack Execution Flow: DLL Side-Loading (T1574.002): Executes malicious DLL using DLL sideloading.
  • Defense Evasion (TA0005) – Obfuscated Files or Information (T1027.002): Binary includes encrypted data.
  • Command and Control (TA0011) – Application Layer Protocol: Web Protocols (T1071.001): Implant communicates with its C&C server.

Indicator of Compromise :

  • [file hash] 83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be (SHA-256 Archive File)
  • [file hash] f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2 (SHA-256 LNK file)
  • [file hash] 9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d (SHA-256 Malicious DLL)
  • [file hash] 86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca (SHA-256 Encrypted .dat file)
  • Check the article for all found IoCs.

Full Research: https://cyble.com/blog/sliver-implant-targets-german-entities-with-dll-sideloading-and-proxying-techniques/