Genshin Impact players (and everyone else) on PC have been exposed to potential ransomware attacks, following the discovery of a vulnerability in the game’s anti-cheat software.
According to a post on Trend Micro’s research blog, mhyprot2.sys, a driver within the game’s anti-cheat system, is ‘being abused by a ransomware actor to kill antivirus processes” and create “services for mass-deploying ransomware.’
The vulnerability was found in late July when Trend noted a ransomware infection that had taken root in an otherwise fully protected and properly configured system. After investigating, Trend found that mhyprot2.sys, which provides anti-cheat for Genshin Impact as a device driver, was being used to skirt around system privileges. Commands from the kernel mode were knocking down system protections.
As of the blog’s writing on August 24th, mhyprot2.sys was still vulnerable.
However, it gets worse.
“This ransomware was simply the first instance of malicious activity we noted,” the blog continues. “The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection. Since mhyprot2.sys can be integrated into any malware, we are continuing investigations to determine the scope of the driver.”
Trend has been tracking the vulnerability since it appeared in connection to the use of a secretsdump and wmiexec against an organisation using a built-in domain admin account. Secretsdump and wmiexec are tools from Impacket, a free collection of Python classes designed to work with network protocols. Secretsdump is exactly what it sounds like: a tool that dumps secrets from the remote machine without executing any agent there. Wmiexec is used to execute remote commands through Windows Management Instrumentation. The actor then connected to the domain controller via remote desktop protocol, through a compromised admin account. The hacker added an executable called kill_svc.exe and mhyprot2.sys to the remote machine’s desktop, the first time Trend had encountered the vulnerable driver. kill_scv.exe installed mhyprot2.sys as a service. From there, the hacker was off to the races, tearing down the AVG Internet Security installed on the target machine and preparing a mass deployment of their ransomware.
The takeaway from this: you don’t even need a full Genshin install present for mhyprot2.sys to create a vulnerability. Worse still, Genshin Impact developer MiHoYo has been aware of the driver’s vulnerability since at least 2020 and has made no move to fix the situation. Players noticed mhypro2.sys shortly after Genshin Impact‘s launch, wondering in community forums if the game contained spyware. These discussions came about because, even when the game was uninstalled, the driver would remain.
“The issue was also reported by Kento Oki to MiHoYo, the developer of Genshin Impact, as a vulnerability,” reads the blog post. “Kento Oki’s PoC led to more discussions, but the provider did not acknowledge the issue as a vulnerability and did not provide a fix. Of course, the code-signing certificate is still valid and has not been revoked until now and the digital signature for code signing as a device driver is still valid at this time.”
MiHoYo did not immediately return a request for comment. You can read Trend’s blog in full here.
Leave a Reply