February 7, 2023Rabbi LakshmananCyber ​​Threat/Malware

Attackers are leveraging known flaws in the Sunlogin software to deploy the Sliver command and control (C2) framework to perform post-exploitation activities.

The findings come from the AhnLab Security Emergency Response Center (ASEC), which discovered security vulnerabilities in Sunlogin, a remote desktop program developed in China, being exploited to deploy various payloads.

“Not only did the attackers use the Sliver backdoor, they also used BYOVD (Bring Your Own Vulnerable Driver) malware to neutralize security products and install a reverse shell,” said the researchers. Said.

The attack chain begins with the exploitation of two remote code execution bugs in versions of Sunlogin prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), and attacks by Sliver or other malware (such as ). Gh0st RAT XMRig crypto coin miner.

In one instance, attackers allegedly weaponized a Sunlogin flaw to install PowerShell scripts, used BYOVD techniques to neutralize security software installed on systems, and used Powercat to drop reverse shells. It is

The BYOVD method exploits a legitimate vulnerable Windows driver mhyprot2.sys signed with a valid certificate to elevate privileges and terminate the antivirus process.

It is worth noting that the anti-cheat driver for the Genshin Impact video game has previously been used as a precursor to ransomware deployments, as revealed by Trend Micro.

“It is not confirmed if it was done by the same threat actor, but logs show that a few hours later the Sunlogin RCE vulnerability was exploited to install a Sliver backdoor on the same system. ‘ said the researchers.

The findings came as attackers adopted Sliver, a legitimate Go-based penetration testing tool, as an alternative to Cobalt Strike and Metasploit.

“Sliver, like Cobalt Strike, provides the necessary tiered capabilities such as account theft, internal network migration, and corporate internal network hijacking,” the researchers concluded.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.

cropped-BTA_Logo-B-1-scaled-1
YOUR FUTURE STARTS HERE.

BLUE TRAINING ACADEMY

Register now for our membership to gain access to our elite training program and fast forward your career today!

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

cropped-BTA_Logo-B-1-scaled-1
Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog