Threat actor abuses Genshin Impact Anti-Cheat driver to disable antivirus

Pierluigi Paganini August 27, 2022

Threat actors abused a vulnerable anti-cheat driver for the Genshin Impact video game to disable antivirus software.

Threat actors abused a vulnerable anti-cheat driver, named mhyprot2.sys, for the Genshin Impact video game to disable antivirus software. According to Trend Micro, a cybercrime gang abused the driver to deploy ransomware.

The driver provides anti-cheat functions, but threat actors have found a way to use it to escalate privileges and kill the processes and services associated with endpoint protection applications.

“However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.” reads the report published by Trend Micro. “Security teams and defenders should note that mhyprot2.sys can be integrated into any malware.”

The attack abusing the mhyprot2.sys drive was spotted by the security firm during the last week of July 2022, when threat actors attempted to deploy ransomware.

The code signing for mhyprot2.sys was still valid at the time of the report, experts pointed out that the use of this driver is independent of the game, which means that Genshin Impact does not need to be installed on a victim’s device.

The researchers speculate that other threat actors could abuse this driver for their malware-based attacks.

“Since mhyprot2.sys can be integrated into any malware, we are continuing investigations to determine the scope of the driver.” continues the experts.

Genshin Impact driver

Experts warn that of the availability of proof-of-concept (PoC) code exploiting the driver for multiple purposes. A PoC, provided by user kagurazakasanae allows to terminate 360 Total Security. Another PoC developed by Kento Oki, had the following capabilities:

  • Read/Write any kernel memory with privilege of kernel from user mode.
  • Read/Write any user memory with privilege of kernel from user mode.
  • Enumerate a number of modules by specific process id.
  • Get system uptime.
  • Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).
  • Terminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver context (ring-0).

In the attack analyzed by the experts, threat actors deployed a malicious Windows installer posing as AVG Internet Security to the domain controller. The installer dropped and executed the driver used in the attack, Trend Micro believes the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.

The issue was reported to the developer of Genshin Impact, miHoYo, as a vulnerability. Unfortunately the provider did not acknowledge the issue as a vulnerability and did not provide a fix. The code-signing certificate is still valid and has not been revoked until now and the digital signature for code signing as a device driver is still valid at this time.

“It is still rare to find a module with code signing as a device driver that can be abused. The point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to kernel mode” conclude the experts. “As mentioned above, this module is very easy to obtain and will be available to everyone until it is erased from existence. It could remain for a long time as a useful utility for bypassing privileges. Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, driver)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment