Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Feb 07, 2023Ravie LakshmananCyber Menace / Malware

Sliver C2 Framework

Menace actors are leveraging identified flaws in Sunlogin software program to deploy the Sliver command-and-control (C2) framework for finishing up post-exploitation actions.

The findings come from AhnLab Safety Emergency response Middle (ASEC), which discovered that safety vulnerabilities in Sunlogin, a distant desktop program developed in China, are being abused to deploy a variety of payloads.

“Not solely did menace actors use the Sliver backdoor, however in addition they used the BYOVD (Deliver Your Personal Susceptible Driver) malware to incapacitate safety merchandise and set up reverse shells,” the researchers said.

Assault chains start with the exploitation of two distant code execution bugs in Sunlogin variations previous to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), adopted by delivering Sliver or different malware equivalent to Gh0st RAT and XMRig crypto coin miner.

In a single occasion, the menace actor is alleged to have weaponized the Sunlogin flaws to put in a PowerShell script that, in flip, employs the BYOVD method to incapacitate safety software program put in within the system and drop a reverse shell utilizing Powercat.

The BYOVD technique abuses a respectable however susceptible Home windows driver, mhyprot2.sys, that is signed with a legitimate certificates to achieve elevated permissions and terminate antivirus processes.

It is value noting right here that the anti-cheat driver for the Genshin Impression online game was beforehand utilized as a precursor to ransomware deployment, as disclosed by Development Micro.

“It’s unconfirmed whether or not it was carried out by the identical menace actor, however after a couple of hours, a log reveals {that a} Sliver backdoor was put in on the identical system by means of a Sunlogin RCE vulnerability exploitation,” the researchers mentioned.

The findings come as menace actors are adopting Sliver, a Go-based respectable penetration testing instrument, as a substitute for Cobalt Strike and Metasploit.

“Sliver gives the required step-by-step options like account data theft, inside community motion, and overtaking the interior community of corporations, similar to Cobalt Strike,” the researchers concluded.

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.