We investigate mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a ransomware actor to kill antivirus processes and services for mass-deploying ransomware.
There have already been reports on code-signed rootkits like
Netfilter,
FiveSys, and
Fire Chili. These rootkits are usually signed with stolen certificates or are falsely validated. However, when a legitimate driver is used as a rootkit, that’s a different story. Such is the case of
mhyprot2.sys, a vulnerable anti-cheat driver for the popular role-playing game Genshin Impact. The driver is currently being abused by a
ransomware actor to kill antivirus processes and services for mass-deploying ransomware. Security teams and defenders should note that
mhyprot2.sys can be integrated into any malware.
During the last week of July 2022, a ransomware infection was triggered in a user environment that had endpoint protection properly configured. Analyzing the sequence, we found that a code-signed driver called “
mhyprot2.sys”, which provides the anti-cheat functions for Genshin Impact as a device driver, was being abused to bypass privileges. As a result, commands from kernel mode killed the endpoint protection processes.
As of this writing, the code signing for
mhyprot2.sys is still valid. Genshin Impact does not need to be installed on a victim’s device for this to work; the use of this driver is independent of the game.
This ransomware was simply the first instance of malicious activity we noted. The threat actor aimed to deploy ransomware within the victim’s device and then spread the infection. Since
mhyprot2.sys can be integrated into any malware, we are continuing investigations to determine the scope of the driver.
