A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software.
Sliver is a post-exploitation toolkit created by Bishop Fox that threat actors began using as a Cobalt Strike alternative last summer, employing it for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.
According to a report by the AhnLab Security Emergency Response Center (ASEC), recently observed attacks target two 2022 vulnerabilities in Sunlogin, a remote-control software by a Chinese developer.
After exploiting these vulnerabilities to compromise a device, the attackers use PowerShell script to open reverse shells, or install other payloads, such as Sliver, Gh0st RAT, or the XMRig Monero coin miner.