Genshin Impact Gamers (and everyone else) on PC have been exposed to potential ransomware attacks, following the discovery of a vulnerability in the game’s anti-cheat software.
According to a post on Trend Micro’s research blog, mhyprot2.sys, a driver within the game’s anti-cheat system, is being “abused by a ransomware actor to kill antivirus processes” and create “services for mass deployment of ransomware.” “.
The vulnerability was found in late July when Trend noticed a ransomware infection that had taken root in an otherwise fully protected and properly configured system. After investigation, Trend found that mhyprot2.sys, which provides protection against cheats for Genshin Impact as a device driver, it was being used to bypass system privileges. Kernel mode commands were breaking down system protections.
As of the blog’s writing on August 24, mhyprot2.sys was still vulnerable.
However, it gets worse.
“This ransomware was simply the first instance of malicious activity that we noticed,” the blog continues. “The threat actor aimed to deploy ransomware inside the victim’s device and then spread the infection. As mhyprot2.sys can be embedded in any malware, we are continuing investigations to determine the scope of the driver.”
Trend has been tracking the vulnerability since it appeared in relation to the use of secretsdump and wmiexec against an organization that uses a built-in domain administrator account. Secretsdump and wmiexec are tools from Impacket, a free collection of Python classes designed to work with network protocols. Secretsdump is exactly what it sounds like: a tool that downloads secrets from the remote machine without running any agents there. Wmiexec is used to execute remote commands through Windows Management Instrumentation. The actor then connected to the domain controller via remote desktop protocol, through a compromised administrator account. The hacker added an executable named kill_svc.exe and mhyprot2.sys to the remote machine’s desktop, the first time Trend found the vulnerable driver. kill_scv.exe installed mhyprot2.sys as a service. From there, the hacker set off, taking down the AVG Internet Security installed on the target machine and preparing a massive deployment of the ransomware from it.
The bottom line on this: you don’t even need a Genshin install present for mhyprot2.sys to create a vulnerability. Even worse, Genshin Impact Developer MiHoYo has been aware of the driver vulnerability since at least 2020 and has made no move to fix the situation. Players noticed mhypro2.sys soon after Genshin Impact‘s, wondering on the community forums if the game contained spyware. These discussions arose because even when the game was uninstalled, the driver would remain.
“The problem was also reported by Kento Oki to MiHoYo, the developer of Genshin Impact, as a vulnerability,” reads the blog post. “Kento Oki’s proof of concept led to further discussion, but the vendor did not acknowledge the issue as a vulnerability and did not provide a fix. Of course, the code signing certificate is still valid and has not been revoked until now and the digital signature for code signing as a device driver is still valid at this time.”
MiHoYo did not immediately return a request for comment. You can read the full Trend blog here.