Anti-Cheat File in Genshin Impact Is Being Used for Ransomware Attacks

pcmag.com:

A hacking group is getting help spreading its ransomware from an unlikely source: The game Genshin Impact.

Specifically, a ransomware attacker has commandeered an anti-cheat driver in the game, called mhyprot2.sys, according(Opens in a new window) to cybersecurity firm Trend Micro. The reason? The same anti-cheat driver can be used to kill antivirus processes on a PC. 

Trend Micro uncovered the tactic last month while investigating a ransomware infection on a computer that had its antivirus protection properly configured. “Analyzing the sequence, we found that a code-signed driver called ‘mhyprot2.sys,’ which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges,” the company said. 

This allowed the ransomware infection to use kernel commands to shut down the antivirus detection processes. In addition, the attacker was able to execute the kernel commands without Genshin Impact installed on the hardware. The mhyprot2.sys driver file was simply transferred over the victim’s PC after the hacker gained remote access. 

“This ransomware was simply the first instance of malicious activity we noted,” Trend Micro added. “The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection.” 

The mhyprot2.sys file used in the attack was built in August 2020. As an anti-cheat driver, it has powerful features, including the ability to access privileged resources on a PC. In October 2020, a GitHub user even developed(Opens in a new window) a proof-of-concept technique showing how the driver file could be abused to kill system processes, including shutting down a Chinese antivirus product.

The driver file also possesses a legitimate code-signing