Cyber criminals disable anti-virus protection using a game’s vulnerable and signed anti-cheat driver. However, it is not installed at all.
Trend Micro reports an unusual find. In the case of a ransomware attack, the intruders terminated the installed virus protection using a signed anti-cheat driver from a game.
Signed drivers
Signed drivers can be loaded in 64-bit systems without error messages in kernel mode, i.e. with the highest access rights in the system. So does the driver mhyprot2.sys
to protect against unwanted cheating by players of the popular game Genshin Impact.
Cyber criminals misuse mhyprot as a rootkit in order to terminate antivirus software processes and services with the highest rights in the system, despite their own limited rights. According to Trend Micro’s report, they do this to mass distribute their ransomware. Attackers can simply bring the driver file themselves. The game does not need to be installed in order to use the driver’s functions.
In this specific case, the intruders gained access to the network in an unknown way. With a hijacked administrator account, you have a file kill_svc.exe
such as mhyprot2.sys
pushed to the domain controller. kill_svc installed the mhyprot service and thus stopped antivirus services. The attackers then copied and executed additional files into the Netlogon directory. Trend Micro’s report details how the intruders planned to terminate other services in this way.
Basically, however, the attackers load the mhyprot driver and try to terminate a list of processes.
Does the controlling process (kill_svc.exe
or later HelpPane.exe
) found one of the processes, it sends via DeviceIoControl
-Instruction the code 0x81034000
to mhyprot to cause the driver to kill the process.
The specific driver used dates back to 2020. According to Trend Micro, it has already been the subject of discussion in gaming forums in the past because it remained in the system after the game was uninstalled and because it enabled rights restrictions to be circumvented.
Problematic drivers
The web archive also contains a copy of Kento Oki’s page, which specifically describes the security gap in the driver and programmed a proof of concept that demonstrates the problem. The source code is also available on GitHub.
mhyprot provides a series of so-called IOCTLs (system calls for device-specific input and output operations) that should not be accessible in user mode. The driver can copy virtual kernel memory, which can lead to unauthorized information leaks, escalation of rights in the system and a denial of service, explains Oki.
The driver allows reading arbitrary kernel and process memory, writing arbitrary process memory, preserving arbitrary process modules and threads, reading system uptime and terminating arbitrary processes. And with user rights.
withdraw certificate?
If, as in this case, a driver makes the restricted user rights bypassable and allows kernel-mode access, this is a security problem. The driver was signed with a valid key. Withdrawing it makes sense and is feasible if the private key has been stolen and misused, for example to sign malware – but that’s not the case here, Trend Micro explains. A legitimate file is only misused – the signature remains valid for the time being.
Administrators could scan their systems for known vulnerable driver files and delete them. Some protection solutions offer to block files based on hash values, for example – that would be another way to prevent misuse of the driver. A repository on GitHub collects known driver files that allow access to the store. mhyprot2.sys
can also be found there. This allows IT managers to train the virus protection used and specify them as unwanted files.