[MART] - Daily Diary #588 - Video Game Anti-Cheat Driver Abused to Deploy Ransomware

[ctas-mat at appgate.com]

Hello everyone!


For more than two years MART has been writing Daily Diaries that we share with some members of Appgate and our distribution list mart at lists.immunityinc.com<mailto:mart at lists.immunityinc.com>. From now on, we will start sharing our Daily Diaries with everyone in Immunity, in the hope it can generate some cybersecurity-related discussions and so we can receive feedback from you!


MART's Daily Diaries topics are very diverse. Sometimes covering attacks, techniques, or malware that we are seeing in the wild, others commenting on cybersecurity-related news. Whenever possible, we try to provide recommendations to mitigate or prevent some kind of attack.


Since last week, our Daily Diaries are also featured on Appgate's Social Media accounts. Every week one of our Daily Diaries will be recorded as a short TikTok video. The first one is already out there, featuring @Sergio Luis Florez Percy<mailto:sergio.florez at appgate.com>. Check it out here: https://www.tiktok.com/@appgatelatam/video/7139569444250029318.


We hope you like it, and please reply to us if you have any questions, suggestions, comments, or fixes. If you want to check some of our older Daily Diaries, they can be accessed through our distribution list history here https://lists.immunityinc.com/pipermail/mart/. Also, if you have any suggestions for topics that we could cover in our Daily Diaries, feel free to share them with us on Teams or through MART's e-mail ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>.

Below is the entry for today.

09/05/2022 - Diary entry #588:

Recently, during the end of July this year, a signed and vulnerable driver (mhyprot2.sys) was found being abused to bypass privileges and deploy ransomware. The driver belongs to an anti-cheat solution for Genshin Impact, a popular role-playing game.

The driver used in the attack is available since August 2020 and has been abused since then, resulting in PoC exploits demonstrating the ability to kill any arbitrary process. Since drivers are able to access privileged functions, threat actors abuse their vulnerabilities to kill endpoint protection processes, and successfully spread and execute their malware.

This is not the first time we have covered drivers being abused by threat actors. In May this year, we covered (on Daily Diary #502) AvosLocker abusing a trusted Avast driver (responsible for Avast’s Anti-Rootkit solution) to attack installed AV solutions. Most recently, on Daily Diary #571, we also covered the group behind Cuba Ransomware, Tropical Scorpius APT, that used a leaked Nvidia certificate to sign a kernel drive used for terminating security products processes as well.

To mitigate this kind of attack, we recommend having a list of commonly abused drivers, and to monitor hosts installing those drivers or with no endpoint solution processes running. Since most of those belong to outdated software (before the vulnerability has been fixed) the fact that the driver is installed is enough to consider the device compromised (or suspicious). Then, isolate the compromised devices immediately to prevent the attack from spreading.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



MART

Malware Analysis and Research Team

Appgate

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220905/3b669857/attachment.htm>