A vulnerable anti-cheat driver for the Genshin Impact video game has been leveraged by a cybercrime actor to disable antivirus programs to facilitate the deployment of ransomware, according to findings from Trend Micro.
The ransomware infection, which was triggered in the last week of July 2022, banked on the fact that the driver in question (“mhyprot2.sys”) is signed with a valid certificate, thereby making it possible to circumvent privileges and terminate services associated with endpoint protection applications.
Genshin Impact is a popular action role-playing game that was developed and published by Shanghai-based developer miHoYo in September 2020.
The driver used in the attack chain is said to have been built in August 2020, with the existence of the flaw in the module discussed after the release of the game, and leading to exploits demonstrating the ability to kill any arbitrary process and escalate to kernel mode.
The idea, in a nutshell, is to use the legitimate device driver module with valid code signing to escalate privileges from user mode to kernel mode, reaffirming how adversaries are constantly looking for different ways to stealthily deploy malware.