A ransomware attack that disables antivirus by taking advantage of the anti-cheat system of the PC version 'Genshin' is discovered, even if 'Genshin' is not installed, it is targeted
It turned out that the anti-cheat system of the popular action RPG 'Genshin' was abused to disable antivirus software and ransomware attacks. It is reported that even if you do not have 'Genshin' installed, you will be targeted because this attack is carried out independently of 'Genshin' games and services.
Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus
Hackers abuse Genshin Impact anti-cheat system to disable antivirus
https://www.bleepingcomputer.com/news/security/hackers-abuse-genshin-impact-anti-cheat-system-to-disable-antivirus/
Genshin Impact Anti-Cheat File is Abused to Mass-Deploy Ransomware and Kill Antivirus Processes
https://wccftech.com/genshin-impact-anti-cheat-file-is-abused-to-mass-deploy-ransomware-and-kill-antivirus-processes/
Ransomware exploits Jenshin Impact's kernel mode anti-cheat to bypass antivirus protection - Top Trend Newz
https://toptrendnewz.com/ransomware-exploits-jenshin-impacts-kernel-mode-anti-cheat-to-bypass-antivirus-protection/
Security company Trend Micro reported on August 24, 2022 that it discovered that `` mhyprot2.
According to the report, in this issue, the main body of 'Genshin' did not need to be installed on the victim's PC, and 'mhyprot2.sys' was used regardless of the game. As such, Trend Micro believes that the easy availability of mhyprot2.sys, its versatility in terms of privilege evasion, and its proven proof-of-concept exploits likely attracted the attention of threat actors . .
In this regard, Trend Micro pointed out, ``Security teams and system administrators should keep in mind that mhyprot2.sys can be incorporated into any malware.''
In the newly discovered attack, the threat actor first exploited mhyprot2.sys to infiltrate the victim's PC and stop the protection process. Next, run a fake anti-virus software installer to install ransomware, and terminate the legitimate anti-virus software using the executable file 'kill.svc' used to install malicious programs. About. The specific ransomware used was not mentioned in the report released this time.
As mentioned above, mhyprot2.sys is an anti-cheat program for the PC version of 'Genshin', but it is considered spyware because it cannot be deleted even if you uninstall 'Genshin' and it is possible to bypass permissions. At that time, the Genshin Impact management team issued an official statement that they would revise the specifications.
【important】
— Genshin Official (@Genshin_7) September 28, 2020
Please see below for details on the function of the anti-cheat program 'mhyprot2' that runs in the background while the PC version of Genshin Impact is running.
▼ Details https://t.co/MLwgNTotN6
# Genshin # Genshin pic.twitter.com/dGxMNrL9NK
The mhyprot2.sys discovered by Trend Micro this time was built in August 2020, before the official release of 'Genshin Impact'. Shortly after the release of Genshin Impact, mhyprot2.sys was provided as a proof of concept with a problem, and another proof of concept discoverer reported it to miHoYo, the developer of Genshin Impact. However, miHoYo did not recognize this issue as a vulnerability and did not fix it.
Trend Micro said of mhyprot2.sys, ``This module is so easily available that anyone can use it until it disappears, so it could continue to be used for a long time as a handy utility for bypassing privileges. Certificate revocation and antivirus detection may stop exploits, but mhyprot2.sys is a legitimate module, so there is no solution at this time.'
Related Posts: