Attackers are leveraging known flaws in the Sunlogin software to deploy the Sliver command and control (C2) framework to perform post-exploitation activities.
The findings come from the AhnLab Security Emergency Response Center (ASEC), which discovered security vulnerabilities in Sunlogin, a remote desktop program developed in China, being exploited to deploy various payloads.
“Not only did the attackers use the Sliver backdoor, they also used BYOVD (Bring Your Own Vulnerable Driver) malware to neutralize security products and install a reverse shell,” said the researchers.
The attack chain began with the exploitation of two remote code execution bugs in versions of Sunlogin prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270) and other exploits such as Sliver or Gh0st RAT and XMRig crypto. Deliver malware. coin miner.
In one instance, attackers allegedly weaponized a Sunlogin flaw to install PowerShell scripts, used BYOVD techniques to neutralize security software installed on systems, and used Powercat to drop reverse shells. It is
The BYOVD method exploits a legitimate vulnerable Windows driver mhyprot2.sys signed with a valid certificate to elevate privileges and terminate the antivirus process.
It is worth noting that the anti-cheat driver for the Genshin Impact video game has previously been used as a precursor to ransomware deployments, as revealed by Trend Micro.
“It is not confirmed if it was done by the same threat actor, but logs show that a few hours later the Sunlogin RCE vulnerability was exploited to install a Sliver backdoor on the same system. ‘ said the researchers.
The findings came as attackers adopted Sliver, a legitimate Go-based penetration testing tool, as an alternative to Cobalt Strike and Metasploit.
“Sliver, like Cobalt Strike, provides the necessary tiered capabilities such as account theft, internal network migration, and corporate internal network hijacking,” the researchers concluded.
