Ransomware actor abuses Genshin Impact anti-cheat driver to kill antivirus

The mhyprot2.sys The driver that was found in this footage was the one built in August 2020. Going back to social media feeds, we can see that shortly after the release of Genshin Impact in September 2020, this mod was discussed in the community of players because he was not deleted even after uninstalling the game and because he allowed circumvention of privileges.

A PoCprovided by the user kagurazakasanae, showed that a library terminated 360 Total Security. A more complete PoCprovided by Kento-Okihad the following abilities:

  • Read/write any kernel memory with kernel privilege from user mode.
  • Read/write any user memory with kernel privilege from user mode.
  • List a number of modules by specific process ID.
  • Get system availability.
  • Enumerate the threads in a specific process, allowing the PETHREAD structure to be read into the kernel directly from the Command Line Interface (CLI).
  • End a specific process by process ID with ZwTerminateProcesswhich calls in the context of the vulnerable driver (ring-0).

The issue was also reported by Kento Oki to Genshin Impact developer miHoYo as a vulnerability. Kento Oki’s PoC led to further discussion, but the vendor did not acknowledge the issue as a vulnerability and did not provide a fix. Of course, the code signing certificate is still valid and has not been revoked so far and the digital signature for code signing as a device driver is still valid at this time.

Complications of code signing as a device driver

It’s still rare to find a code-signed module as a device driver that can be abused. The point of this case is that a legitimate device driver module with a valid code signature has the ability to bypass user mode privileges to kernel mode. Even if a vendor recognizes a privilege bypass as a vulnerability and provides a patch, the module cannot be removed once distributed. This file has a code signature for the driver, which allows this module to be loaded in kernel mode. If the signature was signed for a malicious module by private key theft, the certificate can be revoked to invalidate the signature. However, in this case, it is an abuse of a legitimate module. It seems that there is no compromise of the private key, so it is still unknown if the certificate will be revoked. It remains valid, at least for now.

As mentioned above, this mod is very easy to obtain and will be available to everyone until it is erased from existence. It could long remain as a useful utility for bypassing privileges. Certificate revocation and antivirus detection can help deter abuse, but there are no workarounds at this time as this is a legitimate module.

How to counter abuse: monitoring and detection

There are only a limited number of driver files with valid signatures that should have behavior comparable to the privilege bypass we report here. We recommend that security teams and network defenders monitor the presence of hash values ​​within their organizations. We have confirmed that privilege bypass is possible in at least this file:

  • mhyprot2.sys (0466e90bf0e83b776ca8716e01d35a8a2e5f96d3)

Additionally, we recommend that you monitor the Windows event logs for the installation of the service corresponding to the driver. If the installation of the service was not planned, a compromise is strongly suspected:

  • Windows Event Log (System) – 7045: A new service has been installed in the system. Service name: mhyprot2.

Comments are closed.