Trend Micro security researchers warn that hackers are already actively exploiting the Genshin Impact mhyprot2.sys driver vulnerability.
On the one hand, anti-cheat software is designed to prevent online game players from gaining an unfair advantage by using third-party tools. On the other hand, systems with kernel-level root access are dangerous. Trend Micro security researchers warn that hackers misused an anti-cheat system driver for the Genshin Impact game to disable antivirus software while carrying out a ransomware attack.
Genshin Impact uses the mhyprot2.sys anti-cheat file
Chinese developer HoYoverse (miHoYo in China) launched the free MMOPRG game Genshin Impact in 2020. Since then, it has been very popular. Many players connect to its fantastic game world, called Teyvat, through mobile devices, consoles or on the PC. However, while most games use EasyAntiCheat or BattlEye as their anti-cheat systems, Genshin Impact specifically uses the mhyprot2.sys anti-cheat file.
Trend Micro investigates kernel-level ransomware attack
Antivirus vendor Trend Micro received a report in July 2020 from a customer who fell victim to ransomware despite having properly configured systems for endpoint protection. When Trend Micro security researchers Hitomi Kimura and Ryan Soliven investigated the attack, they discovered that an attacker had used a code-signed driver, mhyprot2.sys, to bypass permissions and kill the antivirus. with kernel commands. However, one may wonder how the hackers initially managed to break into the system. The researchers said:
“Analyzing the footage, we discovered that a code-signed driver called ‘mhyprot2.sys’, which provides anti-cheat functionality for Genshin Impact as a device driver, has been abused to circumvent permissions. […] The attacker’s goal was to install ransomware on the victim’s device and then spread the infection. »
Attackers target Windows users
According to Trend Micro security researchers, attackers are targeting Windows users of the popular open-ended action game Genshin Impact. Anti-Cheat for Genshin works as a device driver and has kernel-level permission on the computer. Thus, potential attackers can use this file to exploit the vulnerability to bypass various security measures and thereby terminate the endpoint protection process.
Specifically, the hacker managed to inject ransomware, encrypt all files and access confidential data. Additionally, according to security researchers, the malware can be transferred to other computers through a PsExec process. The attackers were able to fully load the driver and ransomware onto a network share for the purpose of mass deployment.
The vulnerable driver is known since 2020 and allows to access any process/kernel memory and kill processes with highest privileges. Security researchers have reported the issue to the vendor several times in the past. However, the code signing certificate has not been revoked, so you can still install the program on Windows without raising any alarms. To be able to use the features of the driver, the game does not have to be installed. The module can work independently and does not need the game to work. Trend Micro therefore warns:
“This module is very easy to obtain and is available to everyone until it is phased out. It could stay as a useful permission bypass utility for a long time.
Trend Micro notes that following the incident, it made some fixes to its antivirus software to mitigate the driver. However, other antivirus suites can still miss mhyprot2.sys unless they are specifically configured to do so.
The game developer provides a fix
In response to Trend Micro’s report, Genshin Impact developer miHoYo has developed a patch to mitigate the threat. It updated the anti-cheat system to disable itself when the user is not playing the game. The developer shared:
“The HoYovere team takes IT security very seriously. We are currently working on this case and will try to find a solution as soon as possible to keep players safe and prevent potential abuse of the anti-cheat feature. We’ll keep you posted as we progress. »
According to Trend Micro security researchers “there is currently no solution”. The anti-cheat system is a legitimate program signed by a legitimate company. Therefore, it is not flagged as malicious by antivirus or Windows. Now that the vulnerability has been discovered, the floodgates may have opened for further potential abuse.
As reported by DigitalTrends, security researcher Kevin Beaumont advised users to block the following hash to protect against the driver: 0466e90bf0e83b776ca8716e01d35a8a2e5f96d3 .