BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
BTC $65266.0064
ETH $3170.2759
BNB $579.9567
SOL $151.5810
stETH $3170.3792
XRP $0.5307
DOGE $0.1622
TON $6.2152
ADA $0.5047
AVAX $37.5087
wstETH $3690.1011
WBTC $65350.8728
DOT $7.1858
WETH $3168.2550
TRX $0.1112
BCH $512.3933
LINK $14.9136
MATIC $0.7262
ICP $15.2978
UNI $7.8248
LTC $85.1449
DAI $1.0008
RNDR $9.1190
CAKE $2.9399
IMX $2.1935
STX $2.8650
ETC $27.9082
FDUSD $0.9998
MNT $1.2003
NEAR $6.3271
FIL $6.6129
OKB $55.7832
HBAR $0.0909
TAO $475.1056
VET $0.0423
WIF $3.0785
ATOM $8.6865
MKR $3070.6157
KAS $0.1185
FET $2.4759
GRT $0.2860
INJ $29.1371
PEPE $0.0000
USDE $0.9998
XLM $0.1150
THETA $2.2569
XMR $121.6010
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • Chinese program Sunlogin Remote Control is actively used by hackers to carry out BYOVD attacks

    A new hacking campaign exploits vulnerabilities in Sunlogin's remote access program to deploy Sliver's post-exploitation toolkit and launch BYOVD attacks to disable antivirus products.

    Sliver is a post-exploitation toolkit created by BishopFox that attackers started using as an alternative to Cobalt Strike last summer. They use it for network surveillance, executing commands, loading DLLs, creating sessions, manipulating processes, and so on.

    According to a report by AhnLab's Security Emergency Response Center (ASEC), the newly identified attacks targeted two vulnerabilities discovered last year in Sunlogin's remote access software.

    Attackers use these vulnerabilities to compromise a device and then execute PowerShell scripts to launch reverse shells or install other payloads such as Sliver, Gh0st RAT, or XMRig Monero.

    The attack begins by exploiting the CNVD-2022-10270 / CNVD-2022-03672 vulnerabilities that are relevant in Sunlogin version 11.0.0.33 and earlier. Attackers use vulnerabilities to execute an obfuscated PowerShell script and disable antivirus systems before deploying backdoors.

    The script decodes the portable .NET executable and loads it into memory. This executable is a modified version of the Mhyrot2DrvControl open source tool, which is designed to take advantage of vulnerable Windows drivers.

    Mhyprot2DrvControl runs mhyrot2.sys, a digitally signed anti-cheat driver for the Chinese game Genshin Impact. This driver, according to Trend Micro, has been used for ransomware attacks since last year.

    “The developer of Mhyprot2DrvControl has provided many functions that can be used with elevated mhyrot2.sys privileges. Among them, for example, a feature that allows hackers to forcibly terminate anti-virus program processes, which is very useful for developing malware,” ASEC experts explain in their report.

    The second part of the PowerShell script downloads Powercat from an external source and uses it to launch a reverse shell that connects to the C2 server, giving the attacker remote access to the compromised device.

    In some cases, the attacks were followed by the installation of the Sliver implant ("acl.exe"). The attackers also installed Gh0st RAT for remote file management, key registration, remote command execution, and the ability to exfiltrate data.

    Microsoft recommends that Windows administrators enable a Vulnerable Driver Block List to protect against BYOVD attacks.

    Author DeepWeb
    Clop ransomware victims for Linux have been decrypting their data for free for several months
    Data of Mandarinbank payment service clients leaked to the Network

    Comments 0

    Add comment