Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations – ASEC BLOG

MITRE Techniques

• [T1068] Exploitation for Privilege Escalation – BYOVD uses a vulnerable driver to escalate privileges and perform arbitrary actions. Quote: ‘BYOVD (Bring Your Own Vulnerable Driver) technique, which abuses vulnerable Windows driver files and uses the escalated privilege to perform arbitrary behaviors.’
• [T1562.001] Impair Defenses – Force termination of security products using Mhyprot2DrvControl to evade detection. Quote: ‘the feature which allows the force termination of processes to develop a malware that shuts down multiple anti-malware products.’
• [T1059.001] PowerShell – PowerShell is used to download and install Gh0st RAT and to run the attacker’s commands. Quote: ‘The PowerShell script is obfuscated…’
• [T1059.001] PowerShell – Additional PowerShell-based commands used to execute the Sunlogin RCE exploits and loader components. Quote: ‘PowerShell command executed through the Sunlogin RCE vulnerability.’
• [T1027] Obfuscated/Compressed Files and Information – Sliver and related scripts are obfuscated; PowerShell scripts are obfuscated. Quote: ‘the PowerShell script is obfuscated’ and ‘the Sliver backdoor is normally obfuscated.’
• [T1071.001] Web Protocols – Sliver uses mTLS, WireGuard, HTTP(S), and DNS to communicate with C2 to evade network detection. Quote: ‘Sliver also supports methods that use mTLS, WireGuard, HTTP(S), and DNS to communicate with the C&C server…’
• [T1021] Lateral Movement – Sliver’s capabilities enable internal network takeover and lateral movement. Quote: ‘Overtaking internal networks, such as privilege escalation, process memory dumping, and lateral movement.’
• [T1003] Credential Dumping – Sliver capabilities include memory detection and memory dumping as part of its behavior. Quote: ‘process memory dumping, and lateral movement.’
• [T1113] Screenshots – Sliver features include screenshot capturing. Quote: ‘screenshot capturing.’