Using Sunlogin flaws, a new hacking campaign has been detected by security analysts at AhnLab Security Emergency Response Center (ASEC) that takes advantage of Windows BYOVD attacks to disable security software and deploy the post-exploitation toolkit Sliver.
The Silver toolkit was created by Bishop Fox as an alternative to Cobalt Strike and has been used by threat actors for quite some time. It can be used to accomplish the following key tasks:-
The attacker uses PowerShell scripts in order to open reverse shells on compromised devices, or to install other payloads like:-
While here below we have mentioned the commands that are supported by Sliver:-
There are a variety of malicious behaviors which can be carried out by a threat actor by using the backdoor created by Sliver through which commands can be sent.
Sunlogin (v18.104.22.168 and earlier), a remote control software developed by Chinese developers, was recently targeted by attacks targeting two 2022 vulnerabilities. Here below we have mentioned the vulnerabilities exploited:-
Using PoC exploits that are readily available on the internet, the threat actors have exploited these vulnerabilities in this instance.
It has the capability of decoding and loading into memory the portable executable for the .NET framework. An alternative to the open-source tool Mhyprot2DrvControl is made available in the form of this executable.
To perform malicious actions with kernel-level privileges, the threat actors abuse the vulnerable Windows drivers. The mhyprot2.sys file is specifically exploited by Mhyprot2DrvControl in order to run malicious code. While it is an anti-cheat driver for the game, Genshin Impact and this driver are digitally signed.
Threat actors exploit the vulnerability of the driver once it has been loaded to gain access to the Windows kernel privileges. The security processes that have been protected from user-mode program access can then be terminated by using the method.
Powercat from an external source is downloaded as the second step in the PowerShell script. After that, the user runs a reverse shell by connecting to the C2 server using this shell to execute a reverse shell. In such a case, the attacker is able to access the compromised device remotely from a remote location.
The Sunlogin attacks were accompanied in some cases by the installation of a Sliver implant (“acl.exe”) on the system. The Sliver framework generates an implant that is used by the threat actors, and here this implant is generated without using any packers in the “Session Mode” of the Sliver framework.
Here below we Microsoft recommended a few mitigations that we have mentioned below:-
Network Security Checklist – Download Free E-Book
In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…