Threat Research

Sliver C2 Being Distributed Through Korean Program Development Company – ASEC BLOG

Securonix

AhnLab ASEC highlights a campaign where malware installers masquerade as legitimate Korean VPN and software download files, distributing Sliver C2 and MeshAgent through a dedicated program developer’s ecosystem. The operators use Go-based malware, anti-sandbox checks, encrypted config data, and signed/off.signed binaries to evade detection while enabling remote control, data exfiltration, and webcam capture. Hashtags: #SliverC2 #MeshAgent #SparkRAT #KoreanVPN #MeshCentral #PRETTY_BLADDER

Keypoints

  • Malicious installers are uploaded to software download sites (often tied to a Korean VPN provider) and may be mistaken for legitimate downloads.
  • Threat actors shifted from SparkRAT to Sliver C2 for command and control, leveraging Go language for dropper/downloader/injector functionality.
  • Installers use anti-sandbox checks and encrypted condition lists, injecting Sliver C2 into Notepad when conditions match.
  • Many samples are signed with valid certificates, while others use stolen/invalid certificates to disguise as legitimate software.
  • MeshAgent is deployed for remote desktop capability and later used to install additional malware (e.g., m.exe webcam capture).
  • Key IOCs include C2 domains, config endpoints, and various malicious file names; indicators point to a campaign active since early 2023.

MITRE Techniques

  • [T1189] Drive-by Compromise – The attackers uploaded malicious installers on a VPN/software download site, potentially delivering malware to users visiting the site. Quote: “Malicious installers are still uploaded on the software download website provided by this company, so users may be unaware of this fact and install the file in question.”
  • [T1116] Code Signing – Some malware samples are signed with valid certificates from the program developer. Quote: “There are also multiple malware strains signed with a valid certificate from the appropriate program developer.”
  • [T1036] Masquerading – The files are disguised as legitimate installers for services; some are misrepresented as font files while being actual installers. Quote: “The files are supposed to be font files, but they are actually malicious installers.”
  • [T1105] Ingress Tool Transfer – The malware connects to C2 and downloads encrypted configuration data; when conditions match, Sliver C2 is downloaded. Quote: “The malicious installer connects to the C&C server and downloads encrypted configuration data. When conditions match, Sliver C2 is downloaded.”
  • [T1055] Process Injection – Notepad is launched and Sliver C2 is injected into this process; the operation occurs alongside the normal installer execution. Quote: “Notepad (notepad.exe), a normal program, is executed before Sliver C2 is injected into this.”
  • [T1125] Video Capture – The threat can capture webcam feeds via a module (m.exe). Quote: “The file ‘m.exe’ is a malware type that captures webcam feeds and is also available publicly on GitHub.”
  • [T1021] Remote Services – MeshAgent provides remote desktop capabilities (VNC/RDP), enabling control of the infected system. Quote: “MeshAgent allows various system control commands such as command execution and file download, as well as remote desktop features such as VNC and RDP.”
  • [T1071.001] Web Protocols – Sliver C2 communicates over web protocols; C2 URL is used for remote control. Quote: “Sliver C2 Name: PRETTY_BLADDER” and “C&C URL: panda.sect[.]kr”
  • [T1041] Exfiltration – The actor exfiltrates user information stored on the infected PC. Quote: “exfiltrating user information saved in the PC”

Indicators of Compromise

  • [Domain] Sliver C2 – panda.sect.kr, and MeshAgent C2 – speed.ableoil.net (C2 domains used for control and data exchange)
  • [Domain] Configuration/data host – status.devq.workers.dev (encrypted configuration data source)
  • [Domain] Sliver C2 config host – config.v6.army (encrypted config payload delivery)
  • [MD5] Malicious installers – e84750393483bbb32a46ca5a6a9d253c, eefbc5ec539282ad47af52c81979edb3
  • [MD5] Malicious installer variants – 10298c1ddae73915eb904312d2c6007d
  • [MD5] Malicious installer variants – b4481eef767661e9c9524d94d808dcb6
  • [File name] Webcam capturing malware – m.exe
  • [File name] VPN/Setup related installers – VPNSetup1.0.4.4.exe, Install2.1.7.exe, Fax1.0.0.exe

Read more: https://asec.ahnlab.com/en/55652/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint