Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

The earliest evidence of compromise was a secretsdump from an unidentified endpoint of the targeted organization to one of the domain controllers. It was followed by the execution of discovery commands using wmiexec in the context of the built-in domain administrator account. Both secretsdump – which dumps secrets from the remote machine without executing any agent there – and wmiexec – which executes commands remotely through Windows Management Instrumentation (WMI) – are tools from Impacket, a free collection of Python classes for working with network protocols.

Shortly afterward, the threat actor connected to the domain controller via RDP using another compromised administrator account.
From there, everything was executed in the context of that user account.

A malicious file, kill_svc.exe (C:users{compromised user}kill_svc.exe), and mhyprot2.sys (C:users{compromised user}mhyprot2.sys) were transferred to the desktop.
This was the first time that the vulnerable driver was seen. The file kill_svc.exe installed the mhyprot2 service and killed antivirus services.

Another malicious file, avg.msi, was transferred to the netlogon share \{domaincontroller}NETLOGONavg.msi. This Windows installer contains avg.exe, a malicious file masquerading as AVG Internet Security, and is responsible for dropping and executing the following:

logon.bat – A batch file that executes HelpPane.exe, kills antivirus and other services, and executes svchost.exe.
HelpPane.exe – A malicious file masquerading as Microsoft Help and Support executable; similar to kill_svc.exe, it installs mhyprot2.sys and kills antivirus services.
mhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.
svchost.exe – The ransomware payload.
This also shows that the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.
The Windows installer avg.msi hosted on the netlogon share was deployed to one workstation endpoint via Group Policy Object (GPO). We suspect that this was to test whether deployment via GPO would be successful, but this case resulted in a failure.

Afterward, the threat actor logged in to the workstation from the unidentified endpoint.
Both Logon Type 3 (Network Logon) and Logon Type 10 (RemoteInteractive) were observed.
The Windows installer avg.msi was manually installed three times, which also resulted in a failure – no encryption. However, it was successful in killing the antivirus services.

The file avg.exe, extracted from avg.msi, was also transferred to the desktop and executed three times.
However, in our analysis, we found that this step also did not work even though the antivirus was no longer working. Apparently, using the the .msi or .exe file resulted in the applications’ being stuck.

In an attempt to make things work, the threat actor transferred logon.bat to the desktop and executed it manually.
The file logon.bat, supposedly dropped and executed by avg.exe, was used as a standalone.

Surprisingly, executing logon.bat worked and the ransomware svchost.exe began dropping ransom notes and encrypting files.
Knowing this, the threat actor hosted three files necessary for mass deployment on a shared folder named “lol”: mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe (the ransomware).

A batch file named “b.bat” (C:Users{compromised user}Desktopb.bat), responsible for copying and executing the files mentioned above, was deployed via PsExec using the credentials of the built-in domain administrator account.
It listed target workstations in the file ip.txt.

The driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the NtOpenFile function.
After loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes to be terminated.
Afterward, it passes this information to the driver using the DeviceIoControl function.
The control code 0x81034000 is sent to the driver, instructing it to terminate the processes in the list.
The mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges.

A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security. A more comprehensive PoC, provided by Kento Oki, had the following capabilities:
Read/Write any kernel memory with privilege of kernel from user mode.
Read/Write any user memory with privilege of kernel from user mode.
Enumerate a number of modules by specific process id.
Get system uptime.
Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).
Terminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver context (ring-0).

Sign Up For Threat Alerts

Loading...
Threats Icon

Sep 21, 2022

Magic Rat

Cisco Talos has discovered a new remote access trojan (RAT), which analysts are calling "MagicRAT,"...

Threats Icon

Sep 21, 2022

Malicious Word Document with a Frameset

Xavier Mertens spotted a malicious Word OOXML document (with the new ".docx" format) that is...

Threats Icon

Sep 18, 2022

US Cert Alert – Iranian Islamic Revolutionary...

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple...

Threats Icon

Sep 15, 2022

Opsec Mistakes Reveal COBALT MIRAGE Threat Actors

In this incident, COBALT MIRAGE exploited the ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). It is...

Threats Icon

Sep 14, 2022

Dead or Alive – An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 13, 2022

Dead or Alive? An Emotet Story

The DFIR Report observed a domain-wide compromise that started from a malware ridden Excel document...

Threats Icon

Sep 12, 2022

Shikitega – New stealthy malware targeting Linux

AT&T Alien Labs has discovered a new malware targeting endpoints and IoT devices that are...

Threats Icon

Sep 08, 2022

APT42: Crooked Charms, Cons and Compromises

Mandiant assesses with high confidence that APT42 is an Iranian state-sponsored cyber espionage group tasked...

Threats Icon

Sep 07, 2022

US Cert Alert – Vice Society

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the...

Threats Icon

Sep 07, 2022

Worok – The big picture

ESET researchers recently found targeted attacks that used undocumented tools against various high-profile companies and...

Threats Icon

Sep 07, 2022

MuddyWater Targets Israel With Log4j Vulnerabilities In...

In recent weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team...

Threats Icon

Sep 05, 2022

No Honor Among Thieves – Prynt Stealer’s...

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile...

Threats Icon

Sep 05, 2022

Grandoreiro Banking Trojan with New TTPs Targeting...

Recently Zscaler ThreatLabz observed a Grandoreiro campaign targeting organizations in the Spanish-speaking nations of Mexico...

Threats Icon

Sep 01, 2022

A Tale of PivNoxy and Chinoxy Puppeteer

An attack against a telecommunications agency in South Asia began with a simple email that...

Threats Icon

Aug 31, 2022

New Golang Ransomware Agenda Customizes Attacks

Investigation revealed that the new ransomware in question targeted enterprises in Asia and Africa. Based...