Using Sunlogin flaws, a new hacking campaign has been detected by security analysts at AhnLab Security Emergency Response Center (ASEC) that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver.
The Silver toolkit was created by Bishop Fox as an alternative to Cobalt Strike and has been used by threat actors for quite some time. It can be used to accomplish the following key tasks:-
- Network surveillance
- Command execution
- Reflective DLL loading
- Session spawning
- Process manipulation
- Windows process migration
- Compile-time obfuscation
- Dynamic code generation
Payloads and Commands
The attacker uses PowerShell scripts in order to open reverse shells on compromised devices, or to install other payloads like:-
While here below we have mentioned the commands that are supported by Sliver:-
There are a variety of malicious behaviors which can be carried out by a threat actor by using the backdoor created by Sliver through which commands can be sent.
Sunlogin (v18.104.22.168 and earlier), a remote control software developed by Chinese developers, was recently targeted by attacks targeting two 2022 vulnerabilities. Here below we have mentioned the vulnerabilities exploited:-
Using PoC exploits that are readily available on the internet, the threat actors have exploited these vulnerabilities in this instance.
It has the capability of decoding and loading into memory the portable executable for the .NET framework. An alternative to the open-source tool Mhyprot2DrvControl is made available in the form of this executable.
To perform malicious actions with kernel-level privileges, the threat actors abuse the vulnerable Windows drivers. The mhyprot2.sys file is specifically exploited by Mhyprot2DrvControl in order to run malicious code. While it is an anti-cheat driver for the game, Genshin Impact and this driver are digitally signed.
Threat actors exploit the vulnerability of the driver once it has been loaded to gain access to the Windows kernel privileges. The security processes that have been protected from user-mode program access can then be terminated by using the method.
Powercat from an external source is downloaded as the second step in the PowerShell script. After that, the user runs a reverse shell by connecting to the C2 server using this shell to execute a reverse shell. In such a case, the attacker is able to access the compromised device remotely from a remote location.
The Sunlogin attacks were accompanied in some cases by the installation of a Sliver implant (“acl.exe”) on the system. The Sliver framework generates an implant that is used by the threat actors, and here this implant is generated without using any packers in the “Session Mode” of the Sliver framework.
Here below we Microsoft recommended a few mitigations that we have mentioned below:-
- In order to protect from BYOVD attacks, Microsoft recommends that system administrators enable the blocked drivers’ list in Windows.
- This attack can also be countered by blocking the hash of the AV killer, which is another way to block it.
- Keep an eye on the event logs associated with the newly installed mhyprot2 services.
Network Security Checklist – Download Free E-Book