A recent hacking campaign has been exploiting vulnerabilities in Sunlogin, a remote-control software, to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. Sliver is a toolkit created by Bishop Fox that is used for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more. The attack begins by exploiting two 2022 vulnerabilities in Sunlogin v11.0.0.33 and earlier, using proof of concept exploits. After compromising the device, the attackers use a PowerShell script to open reverse shells, or install other payloads, such as Sliver, Gh0st RAT, or the XMRig Monero coin miner. The script decodes a .NET portable executable and loads it in memory. This executable is a modified version of the Mhyprot2DrvControl open-source tool, which abuses vulnerable Windows drivers to perform malicious actions with kernel-level privileges. The malware then uses the Mhyprot2DrvControl to access the kernel area and terminate security processes protected from user-mode programs. The second part of the PowerShell script downloads Powercat from an external source and uses it to run a reverse shell that connects to the C2 server, providing the attacker with remote access to the breached device. In some cases, the attackers installed the Sliver implant and in other cases, the Gh0st RAT was installed for remote file management, key logging, remote command execution, and data exfiltration capabilities. Microsoft recommends that Windows admins enable the vulnerable driver blocklist to protect against BYOVD attacks. Additionally, blocking the hash of the AV killer, f71b0c2f7cd766d9bdc1ef35c5ec1743, and monitoring event logs for newly installed services named Mhyprot2 can help defend against this attack.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 06 Feb 2023 21:01:02 +0000