Hackers have abused the anti-cheat system in the massively popular game, and you don’t even need to have it installed on your computer to be affected.
The game in question is called Genshin Impact, and according to a new report, hackers can exploit the game’s anti-cheat measures to disable antivirus programs on a target computer. From there, they can freely launch ransomware attacks and take control of the device.
Trend Micro
Trend Micro has prepared an extensive report on this new hack, describing in great detail how it works. The attack can be performed using a Genshin Impact a driver named “mhypro2.sys.” As mentioned above, the game does not need to be installed on the target device. The module can work independently and does not need a game to work.
Researchers have found evidence that threat actors have been using this vulnerability to carry out ransomware attacks since July 2022. While it’s unclear how hackers can initially gain access to their target, once inside, they can use Gensha’s influence a driver to access the computer’s kernel. The kernel generally has complete control over everything that happens on your system, so it’s disastrous for threats to be able to access it.
The hackers used “secretsdump,” which helped them grab administrator credentials, and “wmiexec,” which executed their commands remotely through Windows’ own instrument management tool. These are free, open source tools from Impacet that anyone can get their hands on if they want.
With that out of the way, threat actors could connect to the domain controller and install malicious files on the machine. One of these files was an executable named “kill_svc.exe” and was used for the installation Genshin Impact driver. After dropping “avg.msi” on the affected computer’s desktop, four files were downloaded and executed. Eventually, the attacker was able to completely destroy the computer’s antivirus software and transfer the ransomware payload.
After some hiccups, the adversaries were able to fully load the driver and ransomware onto the network part with the aim of mass deployment, meaning they could affect multiple workstations connected to the same network.
If you are a company and use MDE or similar, I recommend blocking this hash, it is a vulnerable driver. 509628b6d16d2428031311d7bd2add8d5f5160e9ecc0cd909f1e82bbbb3234d6
Instantly boots to Windows 11 with TPM and all, problem ignored.
— Hate Cloudflare Support (@GossiTheDog) August 25, 2022
According to Trend Micro, Gensha’s influence developers were notified of vulnerabilities in the game module back in 2020. Despite this, the code signing certificate is still there, meaning Windows still recognizes the program as safe.
Even if the vendor reacts to this and fixes this major bug, its old versions will still remain on the Internet and thus still a threat. Security researcher Kevin Beaumont advised users to block the following hash to protect themselves from drivers: 0466e90bf0e83b776ca8716e01d35a8a2e5f96d3.
From now on, creators Genshin Impact did not respond to these findings. This is just one of many recent cyber attacks, which have doubled since last year according to a new report.
Editor’s recommendations
Categories: GAMING
Source: newstars.edu.vn