Attack Windows Device Using Cobalt Strike Alternative ‘Sliver’
Security analysts at AhnLab Security Emergency Response Center (ASEC) have detected a new hacking campaign that takes advantage of Windows Bring Your Own Vulnerability Device (BYOVD) attacks and Sunlogin flaws to disable security software and deploy the post-exploitation toolkit Sliver. The Silver toolkit, developed by Bishop Fox as an alternative to Cobalt Strike, is used by threat actors to carry out a range of malicious activities, including network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, Windows process migration, multiplayer mode, compile-time obfuscation, dynamic code generation, and payloads and commands.
The cyber criminals use PowerShell scripts to open reverse shells on compromised computers and install payloads such as Sliver, Gh0st RAT, and XMRig Monero (Coin miner). Sliver supports a variety of commands that can be sent through the backdoor it creates, enabling a range of malicious behaviors.
In this case, the Sunlogin software (v11.0.0.33 and earlier), a remote control software developed by Chinese developers, was targeted by exploiting two vulnerabilities (CNVD-2022-10270 and CNVD-2022-03672) using readily available PoC exploits. The threat actors are able to abuse vulnerable Windows drivers to execute malicious code with kernel-level privileges, terminate security processes, and gain remote access to compromised computers using Powercat and a reverse shell.
In some instances, the Sunlogin attacks were accompanied by the installation of a Sliver implant (“acl.exe”) on the system. The Sliver framework generates the implant in the “Session Mode” without using any packers, allowing the threat actors to carry out malicious actions.
To mitigate the risk of BYOVD attacks, Microsoft recommends enabling the blocked drivers’ list in Windows and blocking the hash of the AV killer. System administrators should also keep an eye on the event logs associated with newly installed mhyprot2 services.
Using OneNote to deliver Malware
Cyber criminals are exploiting OneNote documents to spread malware to unsuspecting end-users through email, according to researchers at Proofpoint. The malware infects victims with remote access malware that can be used to install additional malware, steal passwords, or access cryptocurrency wallets. OneNote is a digital notebook developed by Microsoft and is part of the Microsoft 365 product suite.
The researchers found that these malicious OneNote documents, with a “.one” extension, were being sent as email attachments or URLs. However, Microsoft has taken steps to prevent this, as it banned macros as the default setting in Office documents in July.
The malware campaigns were found to have used themes such as invoices, remittances, shipping, and seasonal themes such as Christmas bonuses to target businesses in the education sector and other industries. The attackers continued to use the same tactics, hiding embedded files in the OneNote attachments that led to the download of a malware payload. In some campaigns, the attackers used legitimate services like OneNote Gem and Transfer.sh to host the payloads.
Proofpoint researchers also discovered a low-volume campaign distributing the DOUBLEBACK backdoor, which can enable host and network reconnaissance, data theft, and follow-on payloads. The emails contained URLs on several domains with a URI ending with “/download/[guid]”. The attackers pretended to have previously contacted the victim and that the related files were uploaded to cloud storage. If the victim clicked on the file, JavaScript code was executed that downloads a file from a remote URL and displays a fake error message.
Additionally, the initial access broker TA577 resumed operation in January 2023 after a one-month absence and delivered Qbot with an attack chain that includes OneNote. The emails contained a distinct URL in the email body and appeared to be a reply to earlier conversations.
Go to Source
Author: Guru
