HomeTech NewsCybersecurityRansomware: Burglars disable antivirus with anti-cheat driver

Ransomware: Burglars disable antivirus with anti-cheat driver

Cyber ​​criminals disable anti-virus protection using a game’s vulnerable and signed anti-cheat driver. However, it is not installed at all.

 

Trend Micro reports an unusual find. In the case of a ransomware attack, the intruders terminated the installed virus protection using a signed anti-cheat driver from a game.

 

Signed drivers can be loaded in 64-bit systems without error messages in kernel mode, i.e. with the highest access rights in the system. So does the driver mhyprot2.sys to protect against unwanted cheating by players of the popular game Genshin Impact.

Cyber ​​criminals misuse mhyprot as a rootkit in order to terminate antivirus software processes and services with the highest rights in the system, despite their own limited rights. According to Trend Micro’s report, they do this to mass distribute their ransomware. Attackers can simply bring the driver file themselves. The game does not need to be installed in order to use the driver’s functions.

In this specific case, the intruders gained access to the network in an unknown way. With a hijacked administrator account, you have a file kill_svc.exe such as mhyprot2.sys pushed to the domain controller. kill_svc installed the mhyprot service and thus stopped antivirus services. The attackers then copied and executed additional files into the Netlogon directory. Trend Micro’s report details how the intruders planned to terminate other services in this way.

Basically, however, the attackers load the mhyprot driver and try to terminate a list of processes.

 

Does the controlling process (kill_svc.exe or later HelpPane.exe) found one of the processes, it sends via DeviceIoControl-Instruction the code 0x81034000 to mhyprot to cause the driver to kill the process.

The specific driver used dates back to 2020. According to Trend Micro, it has already been the subject of discussion in gaming forums in the past because it remained in the system after the game was uninstalled and because it enabled rights restrictions to be circumvented.

The web archive also contains a copy of Kento Oki’s page, which specifically describes the security gap in the driver and programmed a proof of concept that demonstrates the problem. The source code is also available on GitHub.

mhyprot provides a series of so-called IOCTLs (system calls for device-specific input and output operations) that should not be accessible in user mode. The driver can copy virtual kernel memory, which can lead to unauthorized information leaks, escalation of rights in the system and a denial of service, explains Oki.

The driver allows reading arbitrary kernel and process memory, writing arbitrary process memory, preserving arbitrary process modules and threads, reading system uptime and terminating arbitrary processes. And with user rights.

If, as in this case, a driver makes the restricted user rights bypassable and allows kernel-mode access, this is a security problem. The driver was signed with a valid key. Withdrawing it makes sense and is feasible if the private key has been stolen and misused, for example to sign malware – but that’s not the case here, Trend Micro explains. A legitimate file is only misused – the signature remains valid for the time being.

Administrators could scan their systems for known vulnerable driver files and delete them. Some protection solutions offer to block files based on hash values, for example – that would be another way to prevent misuse of the driver. A repository on GitHub collects known driver files that allow access to the store. mhyprot2.sys can also be found there. This allows IT managers to train the virus protection used and specify them as unwanted files.

Latest articles

What are the best smartphones tested by Voonze in September 2024?

Here is our selection of the best smartphones in 2024, all tested and validated...

Nvidia GeForce Now in September 2024: the start of the school year promises to be fantastic with Final Fantasy XVI and Age of Mythology

In this rainy back-to-school season, Nvidia unveils the list of games that will join...

More like this