Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

August 28, 2022

The compromise began with a secretsdump from an unidentified endpoint to a domain controller, followed by discovery commands executed via wmiexec using the built-in domain administrator account. Both tools—secretsdump and wmiexec—are part of Impacket, a Python-based collection for network protocol manipulation.

Shortly after, the threat actor connected to the domain controller via RDP using a compromised administrator account. All subsequent activities were conducted within the context of this user account.

Deployment of Malicious Files

Two malicious files, kill_svc.exe and mhyprot2.sys, were transferred to the desktop. The vulnerable mhyprot2.sys driver, associated with Genshin Impact’s anti-cheat system, was used to disable antivirus services.

Another file, avg.msi, was transferred to the Netlogon share. This installer contained avg.exe, which masqueraded as AVG Internet Security and executed:

  • logon.bat: Executes HelpPane.exe, disables antivirus services, and triggers svchost.exe.
  • HelpPane.exe: Poses as a legitimate Microsoft file, installs mhyprot2.sys, and kills antivirus services.
  • mhyprot2.sys: A vulnerable driver.
  • svchost.exe: The ransomware payload.

The ransomware was intended for mass deployment via the domain controller, leveraging startup/logon scripts.

Failed and Successful Deployments

An initial deployment test using Group Policy Object (GPO) failed. The threat actor attempted to manually install avg.msi three times, which also failed to encrypt files but succeeded in disabling antivirus services.

Subsequently, the attacker executed logon.bat manually, which successfully initiated the ransomware (svchost.exe). This began dropping ransom notes and encrypting files.

Mass Deployment via Shared Folder

To scale the attack, the threat actor hosted necessary files (mhyprot2.sys, kill_svc.exe, and svchost.exe) in a shared folder named “lol.” A batch file, b.bat, was deployed using PsExec with credentials from the built-in domain administrator account. The script listed target workstations in ip.txt for execution.

Exploitation of mhyprot2.sys Driver

The mhyprot2.sys driver was used to terminate processes and disable antivirus protections. This driver was originally associated with Genshin Impact and allowed privilege escalation. The driver:

  • Loaded via NtOpenFile function.
  • Terminated processes using the DeviceIoControl function with control code 0x81034000.

Vulnerability History of mhyprot2.sys

The vulnerable driver, built in August 2020, was discussed in gaming communities after Genshin Impact’s release. It remained active even after uninstalling the game. Proof-of-concept (PoC) exploits by Kagurazakasanae and Kento Oki demonstrated its capabilities, including:

  • Privilege Escalation: Read/write kernel memory from user mode.
  • Process Termination: Directly terminate processes via ZwTerminateProcess.
  • Enumeration: Access kernel structures, threads, and uptime data.

Conclusion

This incident highlights the misuse of a legitimate driver for ransomware attacks. The mhyprot2.sys driver, originally part of a gaming anti-cheat system, became a powerful tool for disabling antivirus protections and enabling privilege escalation. Organizations must remain vigilant against such abuse of legitimate software and implement strong endpoint monitoring and defense mechanisms.

Subscribe