Risk actors are leveraging recognized flaws in Sunlogin software program to deploy the Sliver command-and-control (C2) framework for finishing up post-exploitation actions.
The findings come from AhnLab Safety Emergency response Heart (ASEC), which discovered that safety vulnerabilities in Sunlogin, a distant desktop program developed in China, are being abused to deploy a variety of payloads.
“Not solely did risk actors use the Sliver backdoor, however in addition they used the BYOVD (Deliver Your Personal Weak Driver) malware to incapacitate safety merchandise and set up reverse shells,” the researchers mentioned.
Assault chains begin with the exploitation of two distant code execution bugs in Sunlogin variations previous to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), adopted by delivering Sliver or different malware corresponding to Gh0st RAT and XMRig crypto coin miner.
In a single occasion, the risk actor is claimed to have weaponized the Sunlogin flaws to put in a PowerShell script that, in flip, employs the BYOVD approach to incapacitate safety software program put in within the system and drop a reverse shell utilizing Powercat.
The BYOVD methodology abuses a reputable however susceptible Home windows driver, mhyprot2.sys, that is signed with a legitimate certificates to realize elevated permissions and terminate antivirus processes.
It is price noting right here that the anti-cheat driver for the Genshin Affect online game was beforehand utilized as a precursor to ransomware deployment, as disclosed by Development Micro.
“It’s unconfirmed whether or not it was finished by the identical risk actor, however after a number of hours, a log reveals {that a} Sliver backdoor was put in on the identical system by way of a Sunlogin RCE vulnerability exploitation,” the researchers mentioned.
The findings come as risk actors are adopting Sliver, a Go-based reputable penetration testing software, as an alternative choice to Cobalt Strike and Metasploit.
“Sliver presents the required step-by-step options like account data theft, inner community motion, and overtaking the inner community of corporations, similar to Cobalt Strike,” the researchers concluded.
