Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

1 year ago AndyC

Threat
actors
are
leveraging
known
flaws
in
Sunlogin
software
to
deploy
the
Sliver
command-and-control
(C2)
framework
for
carrying
out
post-exploitation
activities.

Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Hackers Exploit Vulnerabilities in Sunlogin to Deploy Sliver C2 Framework

Threat
actors
are
leveraging
known
flaws
in
Sunlogin
software
to
deploy
the
Sliver
command-and-control
(C2)
framework
for
carrying
out
post-exploitation
activities.

The
findings
come
from
AhnLab
Security
Emergency
response
Center
(ASEC),
which
found
that
security
vulnerabilities
in
Sunlogin,
a
remote
desktop
program
developed
in
China,
are
being
abused
to
deploy
a
wide
range
of
payloads.

“Not
only
did
threat
actors
use
the
Sliver
backdoor,
but
they
also
used
the

BYOVD
(Bring
Your
Own
Vulnerable
Driver)
malware
to
incapacitate
security
products
and
install
reverse
shells,”
the
researchers

said.

Attack
chains
commence
with
the
exploitation
of
two
remote
code
execution
bugs
in
Sunlogin
versions
prior
to
v11.0.0.33
(CNVD-2022-03672
and
CNVD-2022-10270),
followed
by
delivering
Sliver
or
other
malware
such
as

Gh0st
RAT
and
XMRig
crypto
coin
miner.

In
one
instance,
the
threat
actor
is
said
to
have
weaponized
the
Sunlogin
flaws
to
install
a
PowerShell
script
that,
in
turn,
employs
the
BYOVD
technique
to
incapacitate
security
software
installed
in
the
system
and
drop
a
reverse
shell
using
Powercat.

The
BYOVD
method
abuses
a
legitimate
but
vulnerable
Windows
driver,
mhyprot2.sys,
that’s
signed
with
a
valid
certificate
to
gain
elevated
permissions
and
terminate
antivirus
processes.


It’s
worth
noting
here
that
the
anti-cheat
driver
for
the
Genshin
Impact
video
game
was
previously
utilized
as
a
precursor
to
ransomware
deployment,
as

disclosed
by
Trend
Micro.

“It
is
unconfirmed
whether
it
was
done
by
the
same
threat
actor,
but
after
a
few
hours,
a
log
shows
that
a
Sliver
backdoor
was
installed
on
the
same
system
through
a
Sunlogin
RCE
vulnerability
exploitation,”
the
researchers
said.

The
findings
come
as
threat
actors
are
adopting

Sliver,
a
Go-based
legitimate
penetration
testing
tool,
as
an
alternative
to
Cobalt
Strike
and
Metasploit.

“Sliver
offers
the
required
step-by-step
features
like
account
information
theft,
internal
network
movement,
and
overtaking
the
internal
network
of
companies,
just
like
Cobalt
Strike,”
the
researchers
concluded.

Found
this
article
interesting?
Follow
us
on

Twitter


and

LinkedIn
to
read
more
exclusive
content
we
post.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

Kinsing Hacker Group Exploits More Flaws to Expand Botnet for Cryptojacking

8 hours ago AndyC
New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

New XM Cyber Research: 80% of Exposures from Misconfigurations, Less Than 1% from CVEs

14 hours ago AndyC
China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

China-Linked Hackers Adopt Two-Stage Infection Tactic to Deploy Deuterbear RAT

14 hours ago AndyC
Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

Kimsuky APT Deploying Linux Backdoor Gomir in South Korean Cyber Attacks

14 hours ago AndyC
CISA Warns of Actively Exploited D-Link Router Vulnerabilities - Patch Now

CISA Warns of Actively Exploited D-Link Router Vulnerabilities – Patch Now

20 hours ago AndyC
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade Attacks

1 day ago AndyC

You may have missed

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

2 hours ago AndyC

Friday Squid Blogging: Emotional Support Squid

2 hours ago AndyC

How to Protect Yourself on Social Networks

8 hours ago AndyC
Nissan reveals ransomware attack exposed 53,000 workers' social security numbers

Nissan reveals ransomware attack exposed 53,000 workers’ social security numbers

8 hours ago AndyC
With three zero-days, it’s a patch-now Patch Tuesday for May

With three zero-days, it’s a patch-now Patch Tuesday for May

8 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.