Threat actors abused a vulnerable anti-cheat driver, named mhyprot2.sys, for the Genshin Impact video game to disable antivirus software. According to Trend Micro, a cybercrime gang abused the driver to deploy ransomware.
The driver provides anti-cheat functions, but threat actors have found a way to use it to escalate privileges and kill the processes and services associated with endpoint protection applications.
The attack abusing the mhyprot2.sys drive was spotted by the security firm during the last week of July 2022, when threat actors attempted to deploy ransomware.
The code signing for mhyprot2.sys was still valid at the time of the report, experts pointed out that the use of this driver is independent of the game, which means that Genshin Impact does not need to be installed on a victim’s device.
The researchers speculate that other threat actors could abuse this driver for their malware-based attacks.
In the attack analyzed by the experts, threat actors deployed a malicious Windows installer posing as AVG Internet Security to the domain controller. The installer dropped and executed the driver used in the attack, Trend Micro believes the threat actor intended to mass-deploy the ransomware using the domain controller via startup/logon script.
