Hackers are using Genshin Impact's anti-cheat software in ransomware to kill antivirus...

Cal Jeffrey

Posts: 3,662   +1,129
Staff member
Facepalm: Anti-cheat software is vital to preserving the integrity of a multiplayer game. However, systems with access to root privileges at the kernel level are dangerous. Security researchers warned of this since this type of cheat mitigation first reared its head, and now it's being exploited in the wild.

At least one hacker is using anti-cheat software included in the tremendously popular free-to-play MMOPRG Genshin Impact to help mass distribute ransomware. The file is named 'mhyprot2.sys' and is described as an anti-cheat driver.

Antivirus vendor Trend Micro received a report in July from a customer who fell victim to ransomware even though his systems had properly configured endpoint protection. When Trend Micro researchers looked into the attack, they discovered a hacker had used a code-signed driver, mhyprot2.sys, to bypass privileges and kill the virus protection with kernel commands.

As of Friday, the code-signing certificate for mhyprot2.sys is still valid. So Windows will recognize it as trustworthy. Furthermore, Genshin Impact doesn't need to be installed for the driver exploit to work. Malicious actors can use it independently and add mhyprot2.sys to any malware.

The driver has been around since 2020, and a GitHub developer even made a proof-of-concept that demonstrated how someone could abuse mhyprot2.sys to shut down system processes, including antivirus systems. However, Trend Micro said this is the first time it has noticed someone using the driver maliciously in the wild.

"This ransomware was simply the first instance of malicious activity we noted," reads the report. "The threat actor aimed to deploy ransomware within the victim's device and then spread the infection. Since mhyprot2.sys can be integrated into any malware, we are continuing investigations to determine the scope of the driver."

Trend Micro notified Genshin Impact studio miHoYo of the vulnerability, and developers are working on a fix. The problem is that since hackers can deploy the driver independently, any patches will only affect those with the game installed. Plus, hackers will likely pass old versions around their communities for years.

Trend Micro notes it has made specific fixes to its antivirus software to mitigate the driver, but other virus protection suites might miss mhyprot2.sys unless specifically configured to detect it.

"Not all security products are deployed the same and may have certificate checking in different levels of the stack or may not check at all," Trend Micro's Jamz Yaneza told PCMag.

It may take a while for other antivirus vendors to catch up. In the meantime, security researcher Kevin Beaumont recommends blocking the diver's hash (above) if your security suite has hash blocking.

Permalink to story.

 

Puiu

Posts: 5,875   +4,885
TechSpot Elite
Sounds like this is a case where MS blocks it with a security update after GI has an updated and re-signed version.
Pretty much what needs to happen. I fear that other games that use this type of anticheat could also have the same problems (like Valorant).

Many will just accept the risk just because it works better than other types of anticheat software. (I'm on the fence about it)
 

BSim500

Posts: 922   +2,183
Welcome to the reality of stupidly allowing any software (anti-cheat no exception) to run as a glorified rootkit with Ring 0 permissions "because muh 'must have' game". And it still doesn't stop the new form of cheating, ie, a dongle that takes PC's HDMI output and passes it through to monitor, and simultaneously takes USB mouse / controller input and passes that through to PC's USB port, then rapidly AI analyzes video output per frame and auto-aims the mouse / controller in a completely undetectable manner outside the OS itself. Even works for consoles too.

The only way you'll ever truly win against cheaters is to turn PC's into hyper-locked down, ultra walled-garden consoles with "white-listed" uniform hardware (that means no ultrawide because "that's cheating", no monitor level enhancements like "LG's Black Stabilizer" because "that's cheating", etc), at which point PC's will no longer be PC's...
 
Last edited:

MaitieS

Posts: 177   +204
Wait but GI anti-cheat is not as Valorant one and is not booting up with kernel so it only can be activated while it's online, right? or at least I remember people complaining about it on launch of GI and they fixed it a few hrs. later where you could kill these processes after you closed the game.
 
I used scripts to hack a solo game before, it was for the resources like gold. Imagine having infinite resin or mora, and if possible primogens, to get any character at c6 r6. I know one youtuber who spend about 20,000 so far. Hoyoverse prevents all of these type of hacks that could cost them millions of dollars.
 

terzaerian

Posts: 1,517   +2,259
Welcome to the reality of stupidly allowing any software (anti-cheat no exception) to run as a glorified rootkit with Ring 0 permissions "because muh 'must have' game". And it still doesn't stop the new form of cheating, ie, a dongle that takes PC's HDMI output and passes it through to monitor, and simultaneously takes USB mouse / controller input and passes that through to PC's USB port, then rapidly AI analyzes video output per frame and auto-aims the mouse / controller in a completely undetectable manner outside the OS itself. Even works for consoles too.

The only way you'll ever truly win against cheaters is to turn PC's into hyper-locked down, ultra walled-garden consoles with "white-listed" uniform hardware (that means no ultrawide because "that's cheating", no monitor level enhancements like "LG's Black Stabilizer" because "that's cheating", etc), at which point PC's will no longer be PC's...
This is why I'm moving away from multiplayer gaming. PVP inevitably consumes everything it touches in the name of balance, and it's stupid because we already have a perfectly balanced 1v1 match - it's called Chess. Speed Chess if you'd like a variant where you have to have twitchy timing.