Breaking Down Genshin Impact’s Ransomware Attack
July 2022, Trendmicro released a news announcement about an attack that utilized Genshin Impact’s built-in anti-cheat engine in order to drop and run ransomware on the player’s machine.
What happened?
In order to understand what happened, it’s important to understand the function of anti-cheat mechanisms in video games, particuarly MMOs of all kinds.
I wrote last year about the basics of anti-cheat devices, but here’s the gist:
Anti-cheat engines come in one of two forms:
- Server-side, where the anti-cheat mechanisms function on the servers that host the game’s primary engines
- Client-side, where the system is run alongside the game client on the player’s machine
What these engines do is collect information about player activity according to a sophisticated (and proprietary) rule set. If a flag is triggered, the information is sent to the game server to hit the ban hammer.
Some (not all) work on the kernel-level in order to gain visibility into processes that interact with the game client. What Trendmicro found was that an engine driver called “mhyprot2.sys”, a signed driver for GI’s anti-cheat engine, was used to issue kernel-level commands that disrupted functionality of the local antivirus program.
What this does is leave the host unprotected to traditional malware, or in this case, ransomware.
The setup
In order to propagate the ransomware, the attacker needs access to the DC. They used a combo of secretsdump (which dumps anything onto a machine without running it) and wmiexec (used for RCE through a remote management function native to Windows) in order to do so.
Once the attacker had control of the DC, they were able to RDP into a workstation using another compromised user admin account, where it dropped the “kill_svc.exe” and “mhyprot2.sys” (the vulnerable driver). The “kill_svc.exe” then installed the anti-cheat driver and used it to kill antivirus services.
Why is this special?
The “mhyprot2.sys” module is easy to find in the wild and cannot be traced to a specific user. Anyone who downloads the Genshin Impact client can find it on their machine. Two years ago, there were complaints about the driver being left on the host after the game was uninstalled. It would only be uninstalled if the command “sc delete mhyprot2” was run on a CMD instance with admin privileges.
It’s also easy to use. It can be installed like any other driver and then abused for elevated privileges. Evenmoreso, it’s a signed process, meaning that is recognized by Windows as a legitimate file.
And that’s it for this segment in gaming security. Please take caution when installing (and uninstalling) video games and do your homework before choosing what programs to install on your machines. You never know what might be left over to be later exploited.
In the meantime, have fun and play safe!
Scotty out!
