According to Trend Micro, ransomware attackers exploit Genshin Impact Anti-Cheat System to disable antivirus to help them deploy ransomware.
When malware enters a system, it does everything it can so that its malicious code stays on the system for as long as possible. With the help of a valid driver and certificate, it can manipulate processes and prevent virus scanners from functioning properly. (“mhyprot2.sys”) is the driver used by the threat actors to infiltrate the system.
Genshin Impact is a hit role playing game that has been praised by many. It was developed and published by Tokyo-based developer, miHoYo in 2020.
The driver used in the attack chain was built in August 2020, with a flaw in the modules being discussed after the release of the game. Recent exploits demonstrate the ability to kill an arbitrary process and escalate to kernel mode.
Sometimes ransomware attackers will use legitimate modules with valid code signing to install malware. These modules allow users to go from user mode to a higher level of privileges, reaffirming how connected and weaponized the operating system industry is.
Ryan Soliven and Hitomi Kimura, response analysts said, “The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection.”
He further added “Organizations and security teams should be careful because of several factors: the ease of obtaining the mhyprot2.sys module, the versatility of the driver in terms of bypassing privileges, and the existence of well-made proofs of concept (PoCs).”Trend Micro analyzed a compromised endpoint belonging to an unnamed entity that was used as a conduit to connect to the domain controller via remote desktop protocol, which dropped and executed a Windows installer posing as AVG Internet Security.
A recent attack on the University of Calgary aimed to infect the computer system by installing a driver and launching ransomware payloads.
The game doesn’t need to be installed on the victim’s device for this to work, which means that threat actors can simply install the anti-cheat driver followed by a ransomware deployment.
We have contacted miHoYo for comment, and we will update this story if we hear back.
According to the researchers, this module is relatively easy to get and will be around for a long time before it gets removed from existence. It has the potential to stay around for a long time because it would be useful for people who want to bypass privileges.
Certificate revocation and antivirus detection might deter malicious behavior on the system, but there is no solution in place to deal with it at this moment.
SharkBot Android Banking Trojan Discovered Using Fake Antivirus and Cleaner Apps
Samsung Data Breach Revealed Some Customers’ Names, Birthdays, and More
JuiceLedger Hackers – Culprits Behind the Recent Phishing Attacks Against Python Package Index Users