A new hacking campaign has emerged that exploits the vulnerabilities in Sunlogin. It is to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks. It aims to disable security software. The Sliver post-exploitation toolkit by Bishop Fox. It is a powerful tool that threat actors have started using as an alternative to Cobalt Strike. The toolkit allows attackers to perform network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.

What does the report reveal?

According to a report by the AhnLab Security Emergency Response Center (ASEC), the recent attacks target two 2022 vulnerabilities in Sunlogin. It is a remote-control software by a Chinese company. After exploiting these vulnerabilities, the attackers use a PowerShell script to open reverse shells. They also attempt to install other payloads such as Sliver, Gh0st RAT, or XMRig Monero coin miners.

The attack begins by exploiting the CNVD-2022-10270/CNVD-2022-03672 RCE vulnerabilities in Sunlogin v11.0.0.33. Also, it attacks earlier versions using readily available proof of concept (PoC) exploits. The intruders leverage the flaw to execute an obfuscated PowerShell script to disable security products before deploying backdoors. The script decodes a .NET portable executable and loads it into memory. This executable is a new version of the Mhyprot2DrvControl open-source tool. It abuses vulnerable Windows drivers to perform malicious actions with kernel-level privileges.

MhyprotDrvControl: Know all about it

Mhyprot2DrvControl specifically abuses the mhyprot2.sys file. It is a digitally signed anti-cheat driver for Genshin Impact. Trend Micro, under observation is in-use for ransomware attacks since last year. “The malware can access the kernel area through mhyprot2.sys through a simple bypassing process,” explains ASEC in the report. “The developer of Mhyprot2DrvControl provided multiple features that the attacker can use with the escalated privileges through mhyprot2.sys. Among these, the attacker used the feature that allows the force termination of processes. It develops malware that shuts down multiple anti-malware products.”

Once the driver is loaded, the threat actors exploit its vulnerability to gain Windows kernel privileges. It can then use to terminate security processes protected from user-mode programs. The second part of the PowerShell script downloads Powercat from an external source. It uses then to run a reverse shell that connects to the C2 server. It provides the attacker with remote access to the breached device.

In some cases, ASEC observed the Sunlogin attacks being followed by the installation of a Sliver implant (acl.exe). The threat actors used the implant generated by the Sliver framework in “Session Mode” without using any packers. In other cases, the attackers installed the Gh0st RAT for remote file management, key logging, remote command execution, and data exfiltration capabilities.

To defend against this attack, Microsoft recommends that Windows administrators enable the vulnerable driver blocklist and follow the information provided in a Microsoft support article on how to enable the blocklist using the Windows Memory Integrity feature or Windows Defender Application Control (WDAC). Another way to defend against this attack is to block the hash of the AV killer, “f71b0c2f7cd766d9bdc1ef35c5ec1743,” and monitor event logs for newly installed services named “mhyprot2.”