The ASEC analysis team identified the Sliver backdoor being deployed through vulnerability exploitation on a remote-control program, named Sunlogin. Since 2022, researchers have spotted several targeted attacks against the vulnerable process.

Diving into details 

The remote code execution bug, tracked as CNVD-2022-10270/CNVD-2022-03672, in Sunlogin was disclosed in 2022.
  • Once the vulnerability and the code that was exploited were made public, attacks against the remote-control program were observed. 
  • The exploitation of the flaw leads to the installation of Gh0st RAT. However, in some cases, hackers installed XMRig CoinMiner instead of Gh0st RAT.

Modus operandi

  • After abusing the Sunlogin RCE bug, the threat actors installed a PowerShell script that leveraged the BYOVD technique. This ensures that the installed security software is disabled.
  • Following this, Sliver was dropped. The attackers used the binaries generated by the backdoor in the attacks as-is without extra packing process. 
  • Static analysis of the malware revealed that this Sliver version was created in Session Mode and leveraged the mTLS protocol for C2 communication. 

About Sliver 

Sliver, a former alternative to Cobalt Strike, is now a sought-after C2 framework for threat actors.
  • As a cross-platform, open-source adversary simulation tool, it offers core features such as dynamic code generation and obfuscation, among others.
  • It provides secure C2 communication over mTLS, HTTP(S), WireGuard, COFF/BOF in-memory loader, and others. 
  • The framework contains an extension package manager (armory) that allows easy installation (automatic compilation) of various third-party tools.

The bottom line

Sliver is being increasingly utilized by attack groups in various forms of cyberattacks that involve stealing information from corporate systems and installing ransomware. This is because, as a penetration testing tool, Sliver provides the necessary step-by-step capabilities such as stealing account information, moving within internal networks, and compromising a company's internal network, much like Cobalt Strike. To prevent the exploitation of vulnerabilities, it is recommended that users apply the latest software patches to their installed software.
Cyware Publisher

Publisher

Cyware