{"id":56939,"date":"2022-08-26T09:47:57","date_gmt":"2022-08-26T09:47:57","guid":{"rendered":"https:\/\/harchi90.com\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus\/"},"modified":"2022-08-26T09:47:57","modified_gmt":"2022-08-26T09:47:57","slug":"ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus","status":"publish","type":"post","link":"https:\/\/harchi90.com\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus\/","title":{"rendered":"Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus"},"content":{"rendered":"<div>\n<p>the <i>mhyprot2.sys<\/i> driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges.<\/p>\n<p>A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security.  A more comprehensive PoC, provided by Kento Oki, had the following capabilities:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Read\/Write any kernel memory with privilege of kernel from user mode.<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Read\/Write any user memory with privilege of kernel from user mode.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enumerate a number of modules by specific process id.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Get system uptime.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Terminate a specific process by process id with <i>ZwTerminateProcess<\/i>which calls in the vulnerable driver context (<i>ring-0<\/i>).<\/span><\/li>\n<\/ul>\n<p>The issue was also reported by Kento Oki to miHoYo, the developer of Genshin Impact, as a vulnerability.  Kento Oki&#8217;s PoC led to more discussions, but the provider did not acknowledge the issue as a vulnerability and did not provide a fix.  Of course, the code-signing certificate is still valid and has not been revoked until now and the digital signature for code signing as a device driver is still valid at this time.<\/p>\n<p><span class=\"body-subhead-title\">Complications of code signing as a device driver <\/span><\/p>\n<p>It is still rare to find a module with code signing as a device driver that can be abused.  The point of this case is that a legitimate device driver module with valid code signing has the capability to bypass privileges from user mode to kernel mode.  Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the module cannot be erased once distributed.  This file has a code signature for the driver, which allows this module to be loaded in kernel mode.  If the signature was signed for a malicious module through private key theft, the certificate can be revoked to invalidate the signature.  However, in this case, it is an abuse of a legitimate module.  It seems that there is no compromise of the private key, so it is still not known if the certificate will be revoked.  It remains valid, at least for now. <\/p>\n<p>As mentioned above, this module is very easy to obtain and will be available to everyone until it is erased from existence.  It could remain for a long time as a useful utility for bypassing privileges.  Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.<\/p>\n<p><span class=\"body-subhead-title\">How to counter abuse: monitoring and detection<\/span><\/p>\n<p>There are only a limited number of driver files with valid signatures that are expected to have behavior comparable to the privilege bypassing we report here.  We recommend that security teams and network defenders monitor the presence of the hash values \u200b\u200bwithin their organizations.  We have confirmed that privilege bypassing is possible in at least this file:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>mhyprot2.sys<\/i> (0466e90bf0e83b776ca8716e01d35a8a2e5f96d3)<\/span><\/li>\n<\/ul>\n<p>In addition, we recommend monitoring Windows event logs for the installation of the service corresponding to the driver.  If the installation of the service was not intended, compromise is strongly doubted:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Windows Event Log (System) \u2013 7045: A new service was installed in the system.  Service name: <i>mhyprot2<\/i>.<\/span><\/li>\n<\/ul><\/div>\n<p>    .<\/p>\n","protected":false},"excerpt":{"rendered":"<p>the mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and &hellip;<\/p>\n<p class=\"read-more\"> <a class=\"\" href=\"https:\/\/harchi90.com\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus\/\"> <span class=\"screen-reader-text\">Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus<\/span> Read More &raquo;<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"default","ast-global-header-display":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[4],"tags":[4647,21183,21184,46,6922,2101,12191],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":60657,"url":"https:\/\/harchi90.com\/genshin-security-impact-hackaday\/","url_meta":{"origin":56939,"position":0},"title":"Genshin Security Impact |  hackaday","date":"August 30, 2022","format":false,"excerpt":"An MMORPG with cute anime-style characters and maybe a bit too much inspiration taken from another classic Nintendo franchise, Genshin Impact is a relatively popular game across the PlayStation, iOS, Android, and PC platforms. That last one has already generated a bit of controversy, since the PC version game includes\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":38832,"url":"https:\/\/harchi90.com\/realtek-r8188eu-driver-sees-huge-cleanups-with-linux-6-0\/","url_meta":{"origin":56939,"position":1},"title":"Realtek R8188EU Driver Sees &#8220;Huge Cleanups&#8221; With Linux 6.0","date":"August 8, 2022","format":false,"excerpt":"Along with his various other pull requests for areas of the kernel he oversees, Greg Kroah-Hartman submitted the Linux 6.0 staging changes this week. Linux's staging area is where yet-to-be-proven \/ still-work-in-progress code is being merged until improved upon and promoted to the respective kernel subsystem \/ main area. Linux's\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":46620,"url":"https:\/\/harchi90.com\/linux-6-0-supporting-new-intel-amd-hardware-performance-improvements-much-more\/","url_meta":{"origin":56939,"position":2},"title":"Linux 6.0 Supporting New Intel\/AMD Hardware, Performance Improvements &#038; Much More","date":"August 16, 2022","format":false,"excerpt":"Yesterday marked the release of Linux 6.0-rc1 and as such the merge window is now over and no more feature work is set to land in this kernel version. Here is my write-up of all the interesting new features and changes\/improvements coming for Linux 6.0. This kernel was originally going\u2026","rel":"","context":"In &quot;Technology&quot;","img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"fifu_image_url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/h\/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus\/Genshin%20blog%20banner.png","_links":{"self":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/56939"}],"collection":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/comments?post=56939"}],"version-history":[{"count":0,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/posts\/56939\/revisions"}],"wp:attachment":[{"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/media?parent=56939"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/categories?post=56939"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/harchi90.com\/wp-json\/wp\/v2\/tags?post=56939"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}