HQ/EMEAFind out how we can help your business
Researchers discovered that a group of hackers had launched the Sliver backdoor through an exploited flaw in a remote-control program dubbed Sunlogin. Based on reports, vulnerable processes were one of the primary victims of cyberattacks last year.
The research revealed that a remote code execution (RCE) vulnerability, tracked as CNVD-2022-10270/CNVD-2022-03672 last year, was the cause of the breach.
The attacks against this remote-control program surged after the flaw, exposing the code to the public. One of the threats that the RCE allowed is the installation of Ghost RAT. In addition, some incidents enabled threat actors to install the XMRig CoinMiner instead of the earlier-mentioned RAT.
The Sunlogin RCE bug became the primary vector for deploying the Sliver backdoor.
The Sliver backdoor operators installed a PowerShell Script that adopts a BYOVD strategy after exploiting the Sunlogin RCE vulnerability. This tactic ensures that the installed security software within a target is down.
Subsequently, the threat actors utilised the binaries created by the backdoor in the attacks without extra packing operations. The malware investigation also revealed that the Sliver backdoor version was created in Session More and pushed the mTLS protocol for command-and-control communication.
The Sliver backdoor is the go-to replacement for hackers to Cobalt Strike. However, more threat groups employed this backdoor as their primary weapon since it has a practical command-and-control framework for them.
This open-source adversary simulation tool offers core features such as dynamic code generation and obfuscation despite being cross-platform. Furthermore, the backdoor provides a secured C2 communication to multiple entities such as HTTP, mTLS, COFF/BOF in-memory loader, and WireGuard, among others.
The framework also includes an extension package manager that enables its operators to install various third-party tools easily.
The Sliver backdoor is gaining increased traction from different hacking groups that use it in various forms of cybercriminal campaigns related to stealing data. This sudden popularity of this backdoor is caused by its dependable features for breaching corporate targets.
Experts recommend that users apply the latest software updates to their installed defence security solutions to prevent the exploitation of bugs.
