Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

The earliest evidence of compromise was a secretsdump from an unidentified endpoint of the targeted organization to one of the domain controllers. It was followed by the execution of discovery commands using wmiexec in the context of the built-in domain administrator account. Both secretsdump – which dumps secrets from the remote machine without executing any agent there – and wmiexec – which executes commands remotely through Windows Management Instrumentation (WMI) – are tools from Impacket, a free collection of Python classes for working with network protocols.

Shortly afterward, the threat actor connected to the domain controller via RDP using another compromised administrator account.
From there, everything was executed in the context of that user account.

A malicious file, kill_svc.exe (C:users{compromised user}kill_svc.exe), and mhyprot2.sys (C:users{compromised user}mhyprot2.sys) were transferred to the desktop.
This was the first time that the vulnerable driver was seen. The file kill_svc.exe installed the mhyprot2 service and killed antivirus services.

Another malicious file, avg.msi, was transferred to the netlogon share \{domaincontroller}NETLOGONavg.msi. This Windows installer contains avg.exe, a malicious file masquerading as AVG Internet Security, and is responsible for dropping and executing the following:

logon.bat – A batch file that executes HelpPane.exe, kills antivirus and other services, and executes svchost.exe.
HelpPane.exe – A malicious file masquerading as Microsoft Help and Support executable; similar to kill_svc.exe, it installs mhyprot2.sys and kills antivirus services.
mhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.
svchost.exe – The ransomware payload.
This also shows that the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.
The Windows installer avg.msi hosted on the netlogon share was deployed to one workstation endpoint via Group Policy Object (GPO). We suspect that this was to test whether deployment via GPO would be successful, but this case resulted in a failure.

Afterward, the threat actor logged in to the workstation from the unidentified endpoint.
Both Logon Type 3 (Network Logon) and Logon Type 10 (RemoteInteractive) were observed.
The Windows installer avg.msi was manually installed three times, which also resulted in a failure – no encryption. However, it was successful in killing the antivirus services.

The file avg.exe, extracted from avg.msi, was also transferred to the desktop and executed three times.
However, in our analysis, we found that this step also did not work even though the antivirus was no longer working. Apparently, using the the .msi or .exe file resulted in the applications’ being stuck.

In an attempt to make things work, the threat actor transferred logon.bat to the desktop and executed it manually.
The file logon.bat, supposedly dropped and executed by avg.exe, was used as a standalone.

Surprisingly, executing logon.bat worked and the ransomware svchost.exe began dropping ransom notes and encrypting files.
Knowing this, the threat actor hosted three files necessary for mass deployment on a shared folder named “lol”: mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe (the ransomware).

A batch file named “b.bat” (C:Users{compromised user}Desktopb.bat), responsible for copying and executing the files mentioned above, was deployed via PsExec using the credentials of the built-in domain administrator account.
It listed target workstations in the file ip.txt.

The driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the NtOpenFile function.
After loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes to be terminated.
Afterward, it passes this information to the driver using the DeviceIoControl function.
The control code 0x81034000 is sent to the driver, instructing it to terminate the processes in the list.
The mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges.

A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security. A more comprehensive PoC, provided by Kento Oki, had the following capabilities:
Read/Write any kernel memory with privilege of kernel from user mode.
Read/Write any user memory with privilege of kernel from user mode.
Enumerate a number of modules by specific process id.
Get system uptime.
Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).
Terminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver context (ring-0).