Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus
A vulnerable anti-cheat driver for the Genshin Impact video game has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware, according to findings from Trend Micro.
The ransomware infection, which was triggered in the last week of July 2022, banked on the fact that the driver in question (“mhyprot2.sys”) is signed with a valid certificate, thereby making it possible to circumvent privileges and terminate services associated with endpoint protection applications.
Genshin Impact is a popular action role-playing game that was developed and published by Shanghai-based developer miHoYo in September 2020.
The driver used in the attack chain is said to have been built in August 2020, with the existence of the flaw in the module discussed after the release of the game, and leading to exploits demonstrating the ability to kill any arbitrary process and escalate to kernel mode.
The idea, in a nutshell, is to use the legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode, reaffirming how adversaries are constantly looking for different ways to stealthily deploy malware.
“The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection,” incident response analysts Ryan Soliven and Hitomi Kimura said.
“Organizations and security teams should be careful because of several factors: the ease of obtaining the mhyprot2.sys module, the versatility of the driver in terms of bypassing privileges, and the existence of well-made proofs of concept (PoCs).”
In the incident analyzed by Trend Micro, a compromised endpoint belonging to an unnamed entity was used as a conduit to connect to the domain controller via remote desktop protocol (RDP) and transfer to it a Windows installer posing as AVG Internet Security, which dropped and executed, among other files, the vulnerable driver.
The goal, the researchers said, was to mass-deploy the ransomware to using the domain controller via a batch file that installs the driver, kills antivirus services, and launches the ransomware payload.
Trend Micro pointed out that the game “does not need to be installed on a victim’s device for this to work,” meaning threat actors can simply install the anti-cheat driver as a precursor to ransomware deployment.
We have reached out to miHoYo for comment, and we will update the story if we hear back.
“It is still rare to find a module with code signing as a device driver that can be abused,” the researchers said. “This module is very easy to obtain and will be available to everyone until it is erased from existence. It could remain for a long time as a useful utility for bypassing privileges.”
“Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.”