Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home Ethical Hackers

Ransomware Attackers Abuse Genshin Impact Anti-Cheat System to Disable Antivirus

admin by admin
September 5, 2022
in Ethical Hackers


A vulnerable anti-cheat driver for the Genshin Impact video game has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware, according to findings from Trend Micro.

The ransomware infection, which was triggered in the last week of July 2022, banked on the fact that the driver in question (“mhyprot2.sys”) is signed with a valid certificate, thereby making it possible to circumvent privileges and terminate services associated with endpoint protection applications.

Genshin Impact is a popular action role-playing game that was developed and published by Shanghai-based developer miHoYo in September 2020.

CyberSecurity

The driver used in the attack chain is said to have been built in August 2020, with the existence of the flaw in the module discussed after the release of the game, and leading to exploits demonstrating the ability to kill any arbitrary process and escalate to kernel mode.

The idea, in a nutshell, is to use the legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode, reaffirming how adversaries are constantly looking for different ways to stealthily deploy malware.

“The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection,” incident response analysts Ryan Soliven and Hitomi Kimura said.

“Organizations and security teams should be careful because of several factors: the ease of obtaining the mhyprot2.sys module, the versatility of the driver in terms of bypassing privileges, and the existence of well-made proofs of concept (PoCs).”

In the incident analyzed by Trend Micro, a compromised endpoint belonging to an unnamed entity was used as a conduit to connect to the domain controller via remote desktop protocol (RDP) and transfer to it a Windows installer posing as AVG Internet Security, which dropped and executed, among other files, the vulnerable driver.

CyberSecurity

The goal, the researchers said, was to mass-deploy the ransomware to using the domain controller via a batch file that installs the driver, kills antivirus services, and launches the ransomware payload.

Trend Micro pointed out that the game “does not need to be installed on a victim’s device for this to work,” meaning threat actors can simply install the anti-cheat driver as a precursor to ransomware deployment.

We have reached out to miHoYo for comment, and we will update the story if we hear back.

“It is still rare to find a module with code signing as a device driver that can be abused,” the researchers said. “This module is very easy to obtain and will be available to everyone until it is erased from existence. It could remain for a long time as a useful utility for bypassing privileges.”

“Certificate revocation and antivirus detection might help to discourage the abuse, but there are no solutions at this time because it is a legitimate module.”





Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
Previous Post

POC For Frustrating/Defeating Malware Analysts

Next Post

Cómo acceder a Disney Star+ en España

Next Post

Cómo acceder a Disney Star+ en España

Recommended

Best Hotspot Shield alternatives in 2022

1 month ago

Estadísticas sobre ciberseguridad y cibercrimen en España

2 months ago

© 2022 Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.