A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
Sliver is a post-exploitation toolkit created by Bishop Fox that threat actors began using as a Cobalt Strike alternative last summer, employing it for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.
According to a report by the AhnLab Security Emergency Response Center (ASEC), recently observed attacks target two 2022 vulnerabilities in Sunlogin, a remote-control software by a Chinese developer.
After exploiting these vulnerabilities to compromise a device, the attackers use PowerShell script to open reverse shells, or install other payloads, such as Sliver, Gh0st RAT, or the XMRig Monero coin miner.
Bringing a malicious driver to the attack
The attack begins with exploiting the CNVD-2022-10270 / CNVD-2022-03672 RCE vulnerabilities in Sunlogin v11.0.0.33 and earlier, using readily available proof of concept (PoC) exploits.
The intruders leverage the flaw to execute an obfuscated PowerShell script to disable security products before deploying backdoors.
The script decodes a .NET portable executable and loads it in memory. This executable is a modified version of the Mhyprot2DrvControl open-source tool, created to abuse vulnerable Windows drivers to perform malicious actions with kernel-level privileges.
Mhyprot2DrvControl specifically abuses the mhyprot2.sys file, a digitally signed anti-cheat driver for Genshin Impact that Trend Micro observed being used for ransomware attacks since last year.
“Through a simple bypassing process, the malware can access the kernel area through mhyprot2.sys,” explains ASEC in the report.
“The developer of Mhyprot2DrvControl provided multiple features that can be utilized with the privileges escalated through mhyprot2.sys. Among these, the threat actor used the feature which allows the force termination of processes to develop a malware that shuts down multiple anti-malware products.”
Once the driver is loaded, the threat actors exploit its vulnerability to gain Windows kernel privileges, which can then be used to terminate security processes protected from user-mode programs.
The second part of the PowerShell script downloads Powercat from an external source and uses it to run a reverse shell that connects to the C2 server, providing the attacker with remote access to the breached device.
In some cases observed by ASEC, the Sunlogin attacks were followed by installing a Sliver implant (“acl.exe”). The threat actors used the implant generated by the Sliver framework in “Session Mode” without using any packers.
In other cases, the attackers installed the Gh0st RAT (remote access trojan) for remote file management, key logging, remote command execution, and data exfiltration capabilities.
Microsoft recommends that Windows admins enable the vulnerable driver blocklist to protect against BYOVD attacks.
A Microsoft support article provides information on enabling the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC).
Another way to defend against this attack is to block the hash of the AV killer, “f71b0c2f7cd766d9bdc1ef35c5ec1743,” and monitor event logs for newly installed services named “mhyprot2.”
