Attackers are leveraging identified flaws within the Sunlogin software program to deploy the Sliver command and management (C2) framework to carry out post-exploitation actions.
The findings come from the AhnLab Safety Emergency Response Middle (ASEC), which found safety vulnerabilities in Sunlogin, a distant desktop program developed in China, being exploited to deploy varied payloads.
“Not solely did the attackers use the Sliver backdoor, additionally they used BYOVD (Deliver Your Personal Susceptible Driver) malware to neutralize safety merchandise and set up a reverse shell,” mentioned the researchers.
The assault chain started with the exploitation of two distant code execution bugs in variations of Sunlogin previous to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), and different exploits comparable to Sliver or Gh0st RAT and XMRig crypto. Ship malware. coin miner.
In a single occasion, the attackers allegedly weaponized a Sunlogin flaw to put in PowerShell scripts, used BYOVD methods to disable safety software program put in on the system, and used Powercat to drop a reverse shell. It’s
The BYOVD methodology exploits a respectable weak Home windows driver mhyprot2.sys signed with a legitimate certificates to raise privileges and terminate the antivirus course of.
It’s price noting that the anti-cheat driver for the Genshin Affect online game has beforehand been used as a precursor to ransomware deployments, as revealed by Development Micro.
“It isn’t confirmed if it was accomplished by the identical menace actor, however logs present that a couple of hours later the Sunlogin RCE vulnerability was exploited to put in a Sliver backdoor on the identical system. ‘ mentioned the researchers.
The findings got here as attackers adopted Sliver, a respectable Go-based penetration testing instrument, as a substitute for Cobalt Strike and Metasploit.
“Sliver, like Cobalt Strike, offers the required tiered capabilities comparable to account theft, inside community migration, and company inside community hijacking,” the researchers concluded.