Threat Actor Abuses Video Game, Genshin Impact Anti-Cheat Driver

Industry: Entertainment | Level: Tactical | Source: Trend Micro

Trend Micro has identified a ransomware actor abusing the anti-cheat driver mhyprot2.sys, for the video game Genshin Impact, leading to services being terminated on the infected host, and ultimately ransomware being deployed. The driver is independent of the Genshin Impact game as such "mhyprot2.sys can be integrated into any malware." The exploitation of the driver was observed in July 2022, as the threat actor executed a ransomware infection in an environment "having endpoint protection properly configured." By loading the driver, the adversary gains kernel-level privileges to terminate endpoint protection services. Trend Micro did not capture the initial compromise as signs of compromise were discovered from suspicious use of secretsdump and wmiexec discovery commands. The threat actor moved laterally through the environment using RDP and transferred relevant files such as the driver to admin shares (ADMIN$). Before ransomware deployment, the threat actor downloaded and executed a MSI and BAT script file. However only the BAT file was successful, terminating many services and clearing windows event logs, leading to the execution of the threat actor's ransomware.

Anvilogic Scenario:

• Driver Abuse to Terminate Services

Anvilogic Use Cases:

• Windows Admin$ Share Access
• Driver as Command Parameter
• MSIExec Install MSI File

‍