Cybercriminals are taking advantage of known weaknesses in Sunlogin software to deploy the Sliver command-and-control framework for post-exploitation activities. This was discovered by AhnLab Security Emergency response Center, which found that security flaws in Sunlogin, a Chinese-developed remote desktop program, are being abused to deploy a variety of payloads. Not only did attackers use the Sliver backdoor, but they also used the BYOVD malware to disable security products and install reverse shells. The attack chain begins with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33, followed by the delivery of Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner. In one case, the attacker is said to have weaponized the Sunlogin flaws to install a PowerShell script that, in turn, uses the BYOVD technique to disable security software installed on the system and drop a reverse shell using Powercat. The BYOVD method abuses a legitimate but vulnerable Windows driver, mhyprot2. Sys, which is signed with a valid certificate to gain elevated permissions and terminate antivirus processes. It is unclear if this was done by the same attacker, but after a few hours, a log shows that a Sliver backdoor was installed on the same system through a Sunlogin RCE vulnerability exploitation, the researchers said. This comes as attackers are turning to Sliver, a legitimate Go-based penetration testing tool, as an alternative to Cobalt Strike and Metasploit. Sliver provides the necessary step-by-step features such as account information theft, internal network movement, and taking over the internal network of companies, just like Cobalt Strike, the researchers concluded.
This Cyber News was published on thehackernews.com. Publication date: Tue, 07 Feb 2023 17:38:02 +0000