A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
Sliver is a post-exploitation toolkit created by Bishop Fox that threat actors began using as a Cobalt Strike alternative last summer, employing it for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.
According to a report by the AhnLab Security Emergency Response Center (ASEC), recently observed attacks target two 2022 vulnerabilities in Sunlogin, a remote-control software by a Chinese developer.
After exploiting these vulnerabilities to compromise a device, the attackers use PowerShell script to open reverse shells, or install other payloads, such as Sliver, Gh0st RAT, or the XMRig Monero coin miner.
Commands supported by Sliver (ASEC)
Bringing a malicious driver to the attack
The attack begins with exploiting the CNVD-2022-10270 / CNVD-2022-03672 RCE vulnerabilities in Sunlogin v11.0.0.33 and earlier, using readily available proof of concept (PoC) exploits.
The intruders leverage the flaw to execute an obfuscated PowerShell script to disable security products before deploying backdoors.
The script decodes a .NET portable executable and loads it in memory. This executable is a modified version of the Mhyprot2DrvControl open-source tool, created to abuse vulnerable Windows drivers to perform malicious actions with kernel-level privileges.
Mhyprot2DrvControl specifically abuses the mhyprot2.sys file, a digitally signed anti-cheat driver for Genshin Impact that Trend Micro observed being used for ransomware attacks since last year.
"Through a simple bypassing process, the malware can access the kernel ..
Support the originator by clicking the read the rest link below.
