BYOVD Combos with the Sliver Framework to Exploit Sunlogin Vulnerabilities
Category: Threat Actor Activity | Industry: Global | Level: Tactical | Source: ASEC
A new threat campaign exploits vulnerabilities in Sunlogin, a Chinese remote access tool, to deploy the Sliver attack framework, remote access trojans, and BYOVD (Bring Your Own Vulnerable Driver) malware disabling security products on the host. Security researchers from ASEC (AhnLab Security Emergency response Center) analysis team observed adversaries exploiting remote code execution vulnerabilities CNVD-2022-10270 and CNVD-2022-03672 to gain initial access. The deployment of Sliver appears to be an attempt to evade detections established for more prominent tools like Cobalt Strike and Meterpreter.
"SunloginCLient.exe,” the vulnerable process the attackers targeted, was often spawning PowerShell to execute other LOLBins to download or launch payloads. Initial cases found the attackers deploying GhostRAT or XMRig CoinMiner. However, recent cases from ASEC observed the use of the BYOVD technique impairing system defenses and launching a reverse shell from Powercat. The threat actors executed this attack by downloading an obfuscated PowerShell script and when executed loads itself into memory and launches an executable file. Analysis of the executable file from ASEC suspects it "to be the open-source tool Mhyprot2DrvControl that was personally modified by the threat actor to forcefully terminate security products." The Mhyprot2DrvControl program enables privilege escalation to kernel-level privileges against vulnerable Windows drivers providing the requisite permissions to terminate security products.
- Suspicious Payload Initiated from PowerShell
Anvilogic Use Cases:
- Suspicious Executable by Powershell
- Executable Create Script Process
- regsvr32 Execution