Tuesday, February 7, 2023
HomeCyber SecurityHackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework


Feb 07, 2023Ravie LakshmananCyber Menace / Malware

Menace actors are leveraging identified flaws in Sunlogin software program to deploy the Sliver command-and-control (C2) framework for finishing up post-exploitation actions.

The findings come from AhnLab Safety Emergency response Heart (ASEC), which discovered that safety vulnerabilities in Sunlogin, a distant desktop program developed in China, are being abused to deploy a variety of payloads.

“Not solely did risk actors use the Sliver backdoor, however additionally they used the BYOVD (Carry Your Personal Weak Driver) malware to incapacitate safety merchandise and set up reverse shells,” the researchers mentioned.

Assault chains start with the exploitation of two distant code execution bugs in Sunlogin variations previous to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), adopted by delivering Sliver or different malware akin to Gh0st RAT and XMRig crypto coin miner.

In a single occasion, the risk actor is claimed to have weaponized the Sunlogin flaws to put in a PowerShell script that, in flip, employs the BYOVD method to incapacitate safety software program put in within the system and drop a reverse shell utilizing Powercat.

The BYOVD technique abuses a reliable however susceptible Home windows driver, mhyprot2.sys, that is signed with a sound certificates to achieve elevated permissions and terminate antivirus processes.

It is price noting right here that the anti-cheat driver for the Genshin Affect online game was beforehand utilized as a precursor to ransomware deployment, as disclosed by Pattern Micro.

“It’s unconfirmed whether or not it was performed by the identical risk actor, however after just a few hours, a log reveals {that a} Sliver backdoor was put in on the identical system via a Sunlogin RCE vulnerability exploitation,” the researchers mentioned.

The findings come as risk actors are adopting Sliver, a Go-based reliable penetration testing software, as a substitute for Cobalt Strike and Metasploit.

“Sliver presents the required step-by-step options like account data theft, inner community motion, and overtaking the interior community of firms, identical to Cobalt Strike,” the researchers concluded.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments