Last summer, cybercriminals began using Sliver as an alternative to Cobalt Strike, using it for monitoring networks, executing commands, loading reflective DLLs, spawning sessions, and manipulating processes. Recently, attacks have been observed targeting two 2022 vulnerabilities in Sunlogin, a remote-control software developed by a Chinese company, according to the AhnLab Security Emergency Response Center. Attackers are exploiting these flaws to gain access to a device, then using PowerShell scripts to open reverse shells or install other payloads, such as Sliver, Gh0st RAT, or XMRig Monero coin miners. With proof of concept exploits readily available, the attack exploits the CNVD-2022-10270 / CNVD-2022-03672 RCE vulnerabilities in Sunlogin v11.0.0.33 and earlier. Intruders are exploiting the vulnerability to disable security products before deploying backdoors using an obfuscated PowerShell script. This script decodes a.NET portable executable and loads it into memory, a modified version of the Mhyprot2DrvControl open-source tool designed to exploit vulnerable Windows drivers to carry out malicious activities. As Trend Micro observed last year, Mhyprot2DrvControl specifically targets the mhyprot2. Sys file, a digitally signed anti-cheat driver for Genshin Impact. By exploiting mhyprot2. Sys, the malware can access the kernel area, according to ASEC. The developer of Mhyprot2DrvControl provided multiple features that can be used with the privileges escalated through mhyprot2. One of these features, which allows processes to be forced to terminate, was used by the threat actor to create malware that shut down multiple anti-malware products. A reverse shell is used in the second part of the PowerShell script to connect to the C2 server, granting remote access to the breached device to the attacker. According to ASEC, some Sunlogin attacks were followed by a Sliver implant. The threat actors used the implant generated by the Sliver framework in Session Mode without using any packers. The attackers installed the Gh0st RAT for remote file management, key logging, remote command execution, and data exfiltration. To protect against BYOVD attacks, Microsoft recommends that Windows admins enable the vulnerable driver blocklist. According to a Microsoft support article, Windows Memory Integrity or Windows Defender Application Control can enable the blocklist. A second way to defend against this attack is to block the hash of the AV killer, f71b0c2f7cd766d9bdc1ef35c5ec1743, and monitor event logs for newly installed services named Mhyprot2. If you enjoyed this article, follow us on LinkedIn, Twitter, Facebook, YouTube, and Instagram for more cybersecurity news and topics. If you liked this post, you will enjoy our newsletter. Get cybersecurity updates you'll actually want to read directly in your inbox.
Last summer, hackers began using Sliver as an alternative to Cobalt Strike, using it for network surveillance, command execution, reflective DLL loading, session spawning, and process manipulation. Recently, attacks have been observed targeting two 2022 vulnerabilities in Sunlogin, a remote-control software developed by a Chinese company, according to the AhnLab Security Emergency Response Center. Attackers are exploiting these flaws to gain access to a device, then using PowerShell scripts to open reverse shells or install other payloads, such as Sliver, Gh0st RAT, or XMRig Monero coin miners. With proof of concept exploits readily available, the attack exploits the CNVD-2022-10270 / CNVD-2022-03672 RCE vulnerabilities in Sunlogin v11.0.0.33 and earlier. Intruders are exploiting the vulnerability to disable security products before deploying backdoors using an obfuscated PowerShell script. This script decodes a.NET portable executable and loads it into memory, a modified version of the Mhyprot2DrvControl open-source tool designed to exploit vulnerable Windows drivers to carry out malicious activities. As Trend Micro observed last year, Mhyprot2DrvControl specifically targets the mhyprot2. Sys file, a digitally signed anti-cheat driver for Genshin Impact. By exploiting mhyprot2. Sys, the malware can access the kernel area, according to ASEC. The developer of Mhyprot2DrvControl provided multiple features that can be used with the privileges escalated through mhyprot2. One of these features, which allows processes to be forced to terminate, was used by the threat actor to create malware that shut down multiple anti-malware products. A reverse shell is used in the second part of the PowerShell script to connect to the C2 server, granting remote access to the breached device to the attacker. According to ASEC, some Sunlogin attacks
This Cyber News was published on heimdalsecurity.com. Publication date: Wed, 08 Feb 2023 10:02:02 +0000