There have already been reports on code-signed rootkits like Netfilter, FiveSys, and Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware. Security teams and defenders should note that mhyprot2.sys can be integrated into any malware. https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
Conversation
Notices
-
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:12:07 JST 
Puniko ?
-
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:13:33 JST
Puniko ?
Analyzing the sequence, we found that a code-signed driver called “mhyprot2.sys”, which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges. As a result, commands from kernel mode killed the endpoint protection processes.so malware is using the driver in their code base to bypass detection?
-
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:14:32 JST
Puniko ?
As of this writing, the code signing for mhyprot2.sys is still valid. Genshin Impact does not need to be installed on a victim’s device for this to work; the use of this driver is independent of the game. ah, they sure do. interesting
-
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:16:25 JST
Puniko ?
We have confirmed that privilege bypassing is possible in at least this file:
* mhyprot2.sys (0466e90bf0e83b776ca8716e01d35a8a2e5f96d3) -
Embed this notice
sn0w :ad: (sn0w@cofe.rocks)'s status on Thursday, 25-Aug-2022 21:20:36 JST 
sn0w :ad:
@puniko almost as if all the community warnings about kernel-mode anticheat being a horrible idea actually had some truth to it -
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:24:10 JST
Puniko ?
@kdy@im-in.space kernel based anti cheat is more of a risk than it solves anything tbh
-
Embed this notice
Kody :pudding_verified: (kdy@im-in.space)'s status on Thursday, 25-Aug-2022 21:24:12 JST 
Kody :pudding_verified:
@puniko Oh wow.
When Honkai Impact released on PC, I looked at ACE and wondered if it could be exploited by just how much data it was exchanging with Tencent's servers.
Guess they should have stayed with that solution for Genshin huh. -
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:25:04 JST
Puniko ?
@delta i bet its also not the first time. and no, it definitly wont stop corpos from using kernel anticheat.
-
Embed this notice
Delta (delta@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:25:05 JST 
Delta
@puniko that was inevitably bound to happen, probably not gonna stop companies from continuing to use kernel anticheat though
-
Embed this notice
Puniko ? (puniko@mk.absturztau.be)'s status on Thursday, 25-Aug-2022 21:27:19 JST
Puniko ?
so true
https://nitter.absturztau.be/0xabad1dea/status/1562774083854811142 -
Embed this notice
Kody :pudding_verified: (kdy@im-in.space)'s status on Thursday, 25-Aug-2022 21:28:13 JST
Kody :pudding_verified:
@puniko yeah
also I remember seeing a PoC of exploitation of Genshin's anticheat and lo and behold it dates back to October 2020 - less than a month after the game's release https://github.com/kkent030315/libmhyprotHélène likes this.
-
Embed this notice
All GNU social JP content and data are available under the