Elain Brown Games 08.25.2022 22:Aug PM EDT

Hackers Abuse the Anti-Cheat System in Genshin Impact To Bypass Antivirus Protection

Hackers have been detected exploiting the anti-cheat system in Genshin Impact to breach devices.

The virus deployed by the actors has the capability to disable the antivirus software while conducting ransomware attacks.

Genshin Impact, one of the most played and talked about free-to-play RPGs in recent times, has an anti-cheat driver that has been exploited by ransomware actors.

The hackers attack in an attempt to halt antivirus processes in order to enable the widespread distribution of their ransomware.

Genshin Impact Abused by Hackers

Genshin Impact has been detected to have a vulnerable anti-cheat driver tracked as mhyprot2.sys.

The driver known as "mhypro2.sys" does not require the target system to have the game installed in order to function. Furthermore, it is capable of operating on its own or even being embedded within the malware, providing threat actors with an impactful vulnerability that can disable security software.

According to BleepingComputer, since the year 2020, researchers have been aware of the vulnerable driver, which grants access to any process or kernel memory and the ability to end processes while retaining the highest privileges.

The problem was brought to the vendor's attention by the researchers more than once in the past. Due to the fact that the code-signing certificate has not been revoked, the program can still be installed on Windows without triggering any security alerts.

Genshin Impact's Vulnerability

Genshin Impact's vulnerability was detected by Trend Micro. According to their report, a ransomware infection was triggered in a user environment that was properly configured to have endpoint protection during the last week of July 2022.

After analyzing the sequence, Trend Micro stated, "We found that a code-signed driver called "mhyprot2.sys", which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges."

Due to that, the endpoint protection processes were terminated by commands issued from kernel mode.

The malicious actor wanted to install ransomware on the victim's device so that they could then spread the infection to other devices.

The victim's device does not need to have Genshin Impact installed on it in order for this to work; the utilization of this driver is unrelated to the game itself. The mhyprot2.sys file can be incorporated into various malicious programs.

Mitigation from the Infection

It is important to remember that a valid user mode device driver module must have a valid code signing certificate in order to have the ability to circumvent privileges when switching to kernel mode.

Trend Micro stated, "Even if a vendor acknowledges a privilege bypass as a vulnerability and provides a fix, the module cannot be erased once distributed."

Hackers may be more likely to deploy the anti-cheat module. This is due to the fact that even if the vendor reacts and fixes the flaw, older versions of the module will continue to be distributed.

It is strongly suggested that security respondents or defenders monitor the presence of hash values within their respective organizations.

Furthermore, it is also recommended to keep an eye on the Windows event logs for any information regarding the installation of the service that is associated with the driver.

There is a significant possibility of compromise in the event that the installation of the service was not intended.

Because of the nature of these threat actors, cases of hackers deploying the anti-cheat module to a large number of systems could increase exponentially.