Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

The earliest evidence of compromise was a secretsdump from an unidentified endpoint of the targeted organization to one of the domain controllers. It was followed by the execution of discovery commands using wmiexec in the context of the built-in domain administrator account. Both secretsdump – which dumps secrets from the remote machine without executing any agent there – and wmiexec – which executes commands remotely through Windows Management Instrumentation (WMI) – are tools from Impacket, a free collection of Python classes for working with network protocols.

Shortly afterward, the threat actor connected to the domain controller via RDP using another compromised administrator account.
From there, everything was executed in the context of that user account.

A malicious file, kill_svc.exe (C:users{compromised user}kill_svc.exe), and mhyprot2.sys (C:users{compromised user}mhyprot2.sys) were transferred to the desktop.
This was the first time that the vulnerable driver was seen. The file kill_svc.exe installed the mhyprot2 service and killed antivirus services.

Another malicious file, avg.msi, was transferred to the netlogon share \{domaincontroller}NETLOGONavg.msi. This Windows installer contains avg.exe, a malicious file masquerading as AVG Internet Security, and is responsible for dropping and executing the following:

logon.bat – A batch file that executes HelpPane.exe, kills antivirus and other services, and executes svchost.exe.
HelpPane.exe – A malicious file masquerading as Microsoft Help and Support executable; similar to kill_svc.exe, it installs mhyprot2.sys and kills antivirus services.
mhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.
svchost.exe – The ransomware payload.
This also shows that the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.
The Windows installer avg.msi hosted on the netlogon share was deployed to one workstation endpoint via Group Policy Object (GPO). We suspect that this was to test whether deployment via GPO would be successful, but this case resulted in a failure.

Afterward, the threat actor logged in to the workstation from the unidentified endpoint.
Both Logon Type 3 (Network Logon) and Logon Type 10 (RemoteInteractive) were observed.
The Windows installer avg.msi was manually installed three times, which also resulted in a failure – no encryption. However, it was successful in killing the antivirus services.

The file avg.exe, extracted from avg.msi, was also transferred to the desktop and executed three times.
However, in our analysis, we found that this step also did not work even though the antivirus was no longer working. Apparently, using the the .msi or .exe file resulted in the applications’ being stuck.

In an attempt to make things work, the threat actor transferred logon.bat to the desktop and executed it manually.
The file logon.bat, supposedly dropped and executed by avg.exe, was used as a standalone.

Surprisingly, executing logon.bat worked and the ransomware svchost.exe began dropping ransom notes and encrypting files.
Knowing this, the threat actor hosted three files necessary for mass deployment on a shared folder named “lol”: mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe (the ransomware).

A batch file named “b.bat” (C:Users{compromised user}Desktopb.bat), responsible for copying and executing the files mentioned above, was deployed via PsExec using the credentials of the built-in domain administrator account.
It listed target workstations in the file ip.txt.

The driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the NtOpenFile function.
After loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes to be terminated.
Afterward, it passes this information to the driver using the DeviceIoControl function.
The control code 0x81034000 is sent to the driver, instructing it to terminate the processes in the list.
The mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges.

A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security. A more comprehensive PoC, provided by Kento Oki, had the following capabilities:
Read/Write any kernel memory with privilege of kernel from user mode.
Read/Write any user memory with privilege of kernel from user mode.
Enumerate a number of modules by specific process id.
Get system uptime.
Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).
Terminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver context (ring-0).

Sign Up For Threat Alerts

Loading...
Threats Icon

Jul 04, 2023

Rhysida Ransomware RaaS Crawls Out of Crimeware...

The Rhysida ransomware-as-a-service (RaaS) group has gone from a dubious newcomer to a fully-fledged ransomware...

Threats Icon

Jun 26, 2023

Operation Magalenha – Long-Running Campaign Pursues Portuguese...

The attackers can steal credentials and exfiltrate users' data and personal information, which can be...

Threats Icon

Apr 24, 2023

Lazarus Group Adds Linux Malware to Arsenal...

Researchers have discovered a new campaign conducted by Lazarus, known as "Operation DreamJob," which targets...

Threats Icon

Apr 23, 2023

Additional IOCs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed.

Threats Icon

Apr 23, 2023

Ex-Conti and FIN7 Actors Collaborate with New...

IBM Security X-Force recently discovered a new malware family Analysts have called "Domino," which Analysts...

Threats Icon

Apr 20, 2023

AuKill EDR killer malware abuses Process Explorer...

The AuKill tool abuses an outdated version of the driver used by version 16.32 of...

Threats Icon

Apr 20, 2023

Fake Chrome updates spread malware

A campaign running since the end of last year is using hacked sites to push...

Threats Icon

Apr 20, 2023

QBot using new attack vector in its...

QBot, also known as QakBot, previously operated as a banking trojan and has since transformed...

Threats Icon

Apr 20, 2023

CrossLock Ransomware Emerges: New Golang – Based...

The CrossLock ransomware employs the double extortion technique to increase the likelihood of payment from...

Threats Icon

Apr 20, 2023

Windows Zero-Day Vulnerability CVE-2023-28252 Exploited by Nokoyawa...

A zero-day vulnerability in the Microsoft Windows system, which also affects Windows 11, has been...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

Additional IOcs for 3cx breach

Recently an unexpected malicious activity emanating from a legitimate, signed binary, 3CXDesktopApp was observed. As...

Threats Icon

Apr 18, 2023

APT36 Expands Interest Within Indian Education Sector

Symantec described UPS in 2016 report as Buckeye (also known as APT3 Gothic Panda UPS...

Threats Icon

Apr 17, 2023

ChinaZ DDoS Bot Malware Distributed To Linux...

The ChinaZ DDoS bot malware was discovered targeting Linux systems while a version for Microsoft...

Threats Icon

Apr 16, 2023

Resurgence Of The Mexals Cryptojacking Campaign

The Mexals crypto jacking campaign has been in operation since at least 2021 and continues...