Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

The earliest evidence of compromise was a secretsdump from an unidentified endpoint of the targeted organization to one of the domain controllers. It was followed by the execution of discovery commands using wmiexec in the context of the built-in domain administrator account. Both secretsdump – which dumps secrets from the remote machine without executing any agent there – and wmiexec – which executes commands remotely through Windows Management Instrumentation (WMI) – are tools from Impacket, a free collection of Python classes for working with network protocols.

Shortly afterward, the threat actor connected to the domain controller via RDP using another compromised administrator account.
From there, everything was executed in the context of that user account.

A malicious file, kill_svc.exe (C:users{compromised user}kill_svc.exe), and mhyprot2.sys (C:users{compromised user}mhyprot2.sys) were transferred to the desktop.
This was the first time that the vulnerable driver was seen. The file kill_svc.exe installed the mhyprot2 service and killed antivirus services.

Another malicious file, avg.msi, was transferred to the netlogon share \{domaincontroller}NETLOGONavg.msi. This Windows installer contains avg.exe, a malicious file masquerading as AVG Internet Security, and is responsible for dropping and executing the following:

logon.bat – A batch file that executes HelpPane.exe, kills antivirus and other services, and executes svchost.exe.
HelpPane.exe – A malicious file masquerading as Microsoft Help and Support executable; similar to kill_svc.exe, it installs mhyprot2.sys and kills antivirus services.
mhyprot2.sys – A vulnerable Genshin Impact anti-cheat driver.
svchost.exe – The ransomware payload.
This also shows that the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.
The Windows installer avg.msi hosted on the netlogon share was deployed to one workstation endpoint via Group Policy Object (GPO). We suspect that this was to test whether deployment via GPO would be successful, but this case resulted in a failure.

Afterward, the threat actor logged in to the workstation from the unidentified endpoint.
Both Logon Type 3 (Network Logon) and Logon Type 10 (RemoteInteractive) were observed.
The Windows installer avg.msi was manually installed three times, which also resulted in a failure – no encryption. However, it was successful in killing the antivirus services.

The file avg.exe, extracted from avg.msi, was also transferred to the desktop and executed three times.
However, in our analysis, we found that this step also did not work even though the antivirus was no longer working. Apparently, using the the .msi or .exe file resulted in the applications’ being stuck.

In an attempt to make things work, the threat actor transferred logon.bat to the desktop and executed it manually.
The file logon.bat, supposedly dropped and executed by avg.exe, was used as a standalone.

Surprisingly, executing logon.bat worked and the ransomware svchost.exe began dropping ransom notes and encrypting files.
Knowing this, the threat actor hosted three files necessary for mass deployment on a shared folder named “lol”: mhyprot2.sys, kill_svc.exe (for killing antivirus services), and svchost.exe (the ransomware).

A batch file named “b.bat” (C:Users{compromised user}Desktopb.bat), responsible for copying and executing the files mentioned above, was deployed via PsExec using the credentials of the built-in domain administrator account.
It listed target workstations in the file ip.txt.

The driver mhyprot2.sys is loaded by kill_svc.exe/HelpPane.exe using the NtOpenFile function.
After loading mhyprot2.sys, kill_svc.exe/HelpPane.exe checks a list of processes to be terminated.
Afterward, it passes this information to the driver using the DeviceIoControl function.
The control code 0x81034000 is sent to the driver, instructing it to terminate the processes in the list.
The mhyprot2.sys driver that was found in this sequence was the one built in August 2020. Going back to social media streams, we can see that shortly after Genshin Impact was released in September 2020, this module was discussed in the gaming community because it was not removed even after the game was uninstalled and because it allowed bypassing of privileges.

A PoC, provided by user kagurazakasanae, showed that a library terminated 360 Total Security. A more comprehensive PoC, provided by Kento Oki, had the following capabilities:
Read/Write any kernel memory with privilege of kernel from user mode.
Read/Write any user memory with privilege of kernel from user mode.
Enumerate a number of modules by specific process id.
Get system uptime.
Enumerate threads in a specific process, allowing reading of the PETHREAD structure in the kernel directly from the command-line interface (CLI).
Terminate a specific process by process id with ZwTerminateProcess, which calls in the vulnerable driver context (ring-0).

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...