Malicious threat actors have recently been spotted exploiting the Genshin Impact anti-cheat system to conduct ransomware attacks.
The game’s module coded as mhypro2[.]sys does not need the targeted system to fully install the game since it can operate independently or be embedded in malware. This system allows adversaries to obtain a critical flaw that can disable security software.
The flawed driver has been on the radar of researchers for two years. Moreover, the vulnerability gives the attackers access to kernel memory and enables them to terminate processes by acquiring admin privileges.
The researchers have reported this vulnerability to the vendor numerous times in recent years. Unfortunately, the code-signing certificate has not been revoked; therefore, the program can still be installed on Windows freely.
There have also been two PoC abuse on GitHub since 2020, detailing how to read/write kernel memory with kernel mode privileges from user mode, identify threats, and stop processes.
Ransomware actors have started abusing the Genshin Impact anti-cheat system vulnerability.
A cybersecurity researcher has observed several pieces of evidence of ransomware actors exploiting the Genshin Impact anti-cheat system since this year’s last weeks of July. The ransomware operators have utilised the driver to disable properly configured endpoint protection solutions.
The adversaries used wmiexec and secretsdump against a target endpoint and then connected to the domain controller through RDP equipped with stolen credentials. The actors’ first action on the infected device was to transfer the mhyprot2[.]sys to the desktop with a malicious executable called kill_svc[.]exe. The threat actors utilise this executable to install the driver.
Subsequently, the infiltrator will drop the avg[.]msi, which will drop and run the logon[.]bat, HelpPane[.]exe, mhyprot2[.]sys, and svchost[.]exe. Another researcher indicated that the threat actors have attempted but failed three times to encrypt the files on the attacked infrastructure.
The antivirus services of the infrastructure were deactivated by hackers. Hence, the attackers relocated the logon[.]bat on the desktop and ran it manually, which was a success.
The threat actors will load the driver, the kill_svc[.]exe executable, and the ransomware on a network of shares for mass distribution infecting numerous workstations.
