Sliver C2 Framework is exploited by hackers through Sunlogin vulnerabilities

/ / News

Cybercriminals are exploiting known weaknesses in the Sunlogin software to deploy the Sliver Command-and-Control (C2) framework for post-exploitation activities. This was uncovered by the AhnLab Security Emergency Response Center (ASEC), which discovered that security flaws in the Chinese-developed remote desktop program, Sunlogin, are being taken advantage of to launch a wide range of malicious payloads.

According to the researchers, the attackers not only use the Sliver backdoor but also utilize the BYOVD (Bring Your Own Vulnerable Driver) malware to disable security products and install reverse shells. The attack sequence begins with the exploitation of two remote code execution bugs in Sunlogin versions prior to v11.0.0.33 (CNVD-2022-03672 and CNVD-2022-10270), followed by the delivery of Sliver or other malware such as Gh0st RAT and XMRig crypto coin miner.

In one instance, the cyber criminal reportedly utilized the Sunlogin flaws to install a PowerShell script that employed the BYOVD technique to neutralize security software on the system and drop a reverse shell using Powercat. The BYOVD method takes advantage of a legitimate but vulnerable Windows driver, mhyprot2.sys, that’s signed with a valid certificate to acquire elevated permissions and terminate antivirus processes.

It’s noteworthy that the anti-cheat driver for the Genshin Impact video game was previously employed as a precursor to ransomware deployment, as reported by Trend Micro. The researchers state that although it’s unconfirmed whether the same threat actor was responsible, a log shows that a Sliver backdoor was installed on the same system through a Sunlogin RCE vulnerability exploitation after a few hours.

The revelations come as cybercriminals are opting for Sliver, a legitimate Go-based penetration testing tool, as an alternative to Cobalt Strike and Metasploit. The researchers conclude that Sliver offers the necessary step-by-step features for theft of account information, internal network movement, and takeover of company internal networks, similar to Cobalt Strike.


Leave a Reply

Your email address will not be published. Required fields are marked *